The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7988"><script>alert(1)</script>488f5d6c304 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organization in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Request

GET /entertainment/browse/movies/?a7988"><script>alert(1)</script>488f5d6c304=1 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:30 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=ECAE0EBE4E2137E4B880AF9E2397143C; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 125883

...[SNIP]...
<a href="/entertainment/browse/movies/?a7988"><script>alert(1)</script>488f5d6c304=1&isnonlinear=true">
...[SNIP]...

2. Session token in URL previous next
There are 16 instances of this issue:

/DTVAPP/content/My_Account
/DTVAPP/content/contentPage.jsp
/DTVAPP/content/gopaperless
/DTVAPP/content/my_account/upgrade
/DTVAPP/content/support/customer_promise
/DTVAPP/content/support/tools
/DTVAPP/content/technology/mobile_apps/dvr_scheduler
/DTVAPP/content/visa
/DTVAPP/global/findRetailer.jsp
/DTVAPP/index.jsp
/DTVAPP/new_customer/base_packages.jsp
/DTVAPP/referral/referralProgram.jsp
/entertainment/
/entertainment/browse/movies/
/entertainment/events
/entertainment/guide

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

2.1. http://www.directv.com/DTVAPP/content/My_Account next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/My_Account

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/My_Account HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

2.2. http://www.directv.com/DTVAPP/content/contentPage.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/contentPage.jsp

Issue detail

The URL in the request appears to contain a session token within the query string:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=EFCD494049A1DF82AF80139214AC8B5B
Content-Length: 10

Response

2.3. http://www.directv.com/DTVAPP/content/gopaperless previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/gopaperless

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/gopaperless HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/gopaperless
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7519CC1E46B86B061A240ABA29FE0BAA
Content-Length: 10

Response

2.4. http://www.directv.com/DTVAPP/content/my_account/upgrade previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/my_account/upgrade

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/my_account/upgrade HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/my_account/upgrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7482D73842913A2373E6DD8CFEF84850
Content-Length: 10

Response

2.5. http://www.directv.com/DTVAPP/content/support/customer_promise previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/customer_promise

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/support/customer_promise HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/support/customer_promise
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=53EA123845F13D13C3D70CAA153D5350
Content-Length: 10

Response

2.6. http://www.directv.com/DTVAPP/content/support/tools previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/tools

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/support/tools HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/support/tools
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7A04787B4333D17A24708C9E6A7E7661
Content-Length: 10

Response

2.7. http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/technology/mobile_apps/dvr_scheduler

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/technology/mobile_apps/dvr_scheduler HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; ASPSESSIONIDAQAASQBC=ONHHOPDAHLJCBPCKMGMCPFNL; TLTHID=845984FE409F9405C0F8AB8AAC6E8FC4
Content-Length: 10

Response

2.8. http://www.directv.com/DTVAPP/content/visa previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/content/visa

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/content/visa HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/visa
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=42CCA3774732BE97157776A7191A06FD
Content-Length: 10

Response

2.9. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/global/findRetailer.jsp?assetId=500016 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=E4EDE30C4742AF9FB6EE3D80887249A1
Content-Length: 10

Response

2.10. http://www.directv.com/DTVAPP/index.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/index.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-5768408060012652036&assetId=P6610034

Request

GET /DTVAPP/index.jsp HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTHID=37DE16AF4E75619C477135A1450BA9F6; TLTSID=37DE16AF4E75619C477135A1450BA9F6
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Thu, 29 Dec 2011 16:38:16 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
Set-Cookie: JSESSIONID=znHPT8XYhJvnkL5wh3lxwHGXLkDDGWk7hcX8W5wN1Zm3DCjzmSvW!1211856460; domain=.directv.com; path=/
Set-Cookie: GL=en_US; domain=.directv.com; expires=Tue, 16-Jan-2080 19:52:23 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=20362C6049D2E0B40BE63F9E61F927CE; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 122239

...[SNIP]...
<li ><a href="/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-5768408060012652036&assetId=P6610034">Building Owners
...[SNIP]...

2.11. http://www.directv.com/DTVAPP/new_customer/base_packages.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/new_customer/base_packages.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/new_customer/base_packages.jsp?footernavtype=-1 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=FE0E45E44F097CBE661747A5533D4D58
Content-Length: 10

Response

2.12. http://www.directv.com/DTVAPP/referral/referralProgram.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/referral/referralProgram.jsp

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /DTVAPP/referral/referralProgram.jsp HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=EDC42B7941D27E4C27A1319BFC0C7932
Content-Length: 10

Response

2.13. http://www.directv.com/entertainment/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/entertainment/

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /entertainment/ HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=31903EE64820775D79BA8F856BA3A964
Content-Length: 10

Response

2.14. http://www.directv.com/entertainment/browse/movies/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/entertainment/browse/movies/

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /entertainment/browse/movies/ HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:05 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=59CD4A6A40B6278E06AF72B4DA0B60B4; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 123603

...[SNIP]...
<li ><a href="/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034">Building Owners
...[SNIP]...

2.15. http://www.directv.com/entertainment/events previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/entertainment/events

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /entertainment/events HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:05 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=0EF56C794BA5AC01894E50B0A2606299; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 95919

...[SNIP]...
<li ><a href="/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034">Building Owners
...[SNIP]...

2.16. http://www.directv.com/entertainment/guide previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.directv.com
Path:	/entertainment/guide

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.directv.com/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034

Request

GET /entertainment/guide HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=34B066594732560F1618858F2591A623
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:38:57 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=B64EB0E2436934961CCBD78F52229463; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 97992

...[SNIP]...
<li ><a href="/entertainment/content/contentPage.jsp?_DARGS=/entertainment/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034">Building Owners
...[SNIP]...

3. Cookie scoped to parent domain previous next
There are 64 instances of this issue:

/DTVAPP/index.jsp
/
/DTVAPP/content/My_Account
/DTVAPP/content/contentPage.jsp
/DTVAPP/content/gopaperless
/DTVAPP/content/my_account/upgrade
/DTVAPP/content/support/customer_promise
/DTVAPP/content/support/tools
/DTVAPP/content/technology/mobile_apps/dvr_scheduler
/DTVAPP/content/visa
/DTVAPP/global/findRetailer.jsp
/DTVAPP/login/login.jsp
/DTVAPP/new_customer/base_packages.jsp
/DTVAPP/referral/referralProgram.jsp
/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png
/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg
/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg
/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png
/cms2/global/icons/lg_cl_blu__check_icon.png
/cms2/global/icons/lg_cl_blu__cinema_icon.png
/cms2/global/icons/lg_cl_blu__my_account_icon.png
/cms2/global/icons/lg_cl_blu__tv.png
/cms2/global/icons/lg_cl_blu__tv_guide_icon.png
/cms2/global/icons/lg_cl_gry__information_icon.png
/cms2/global/js/cinema_countdown_header_update_myDTV.js
/cms2/global/js/countdown_text.js
/cms2/global/js/ufc_countdown.js
/cms2/homepage/images/img_PRHP__ACSI.jpg
/cms2/my_directv/general/banner_upsell__upgrade.jpg
/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg
/cms2/my_directv/my_directv/my_directv.js
/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg
/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png
/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png
/cms2/offer/2011_Q4/PRHP/holiday_tag.png
/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg
/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg
/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg
/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg
/cms2/product_catalog/browse_packages/includes.png
/cms2/product_catalog/get_DIRECTV.gif
/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif
/cms2/support/my_account/btn__Add_now.png
/cms2/support/my_account/btn__Upgrade_now.png
/cms2/support/paperless_help_the_environment.png
/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg
/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif
/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png
/dvrscheduler
/dvrscheduler/
/entertainment
/entertainment/
/entertainment/browse/movies/
/entertainment/events
/entertainment/guide
/images/content/themes/default/list_bullet.png
/images/epod/epod_expandable_MRV.jpg
/images/epod/epod_expandable_promise.jpg
/images/epod/epod_expandable_receivers.jpg

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

3.1. http://www.directv.com/DTVAPP/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/index.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

JSESSIONID=znHPT8XYhJvnkL5wh3lxwHGXLkDDGWk7hcX8W5wN1Zm3DCjzmSvW!1211856460; domain=.directv.com; path=/
GL=en_US; domain=.directv.com; expires=Tue, 16-Jan-2080 19:52:23 GMT; path=/
TLTHID=20362C6049D2E0B40BE63F9E61F927CE; Path=/; Domain=.directv.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

3.2. http://www.directv.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

TLTHID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com
TLTSID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 10

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 138
Content-Type: text/html
Location: /DTVAPP/index.jsp
Server: Microsoft-IIS/6.0
Set-Cookie: ASPSESSIONIDQCACRSDB=BOPMPPDAEFFCKPEINFAHOFKM; path=/
Set-Cookie: TLTHID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com
Set-Cookie: TLTSID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:15 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/DTVAPP/index.jsp">here</a>.</body>

3.3. http://www.directv.com/DTVAPP/content/My_Account previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/My_Account

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=46388B4B46FD94F253690ABE1BE5BDF6; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.4. http://www.directv.com/DTVAPP/content/contentPage.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/contentPage.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=1ED3D66D4215D67096B49EB663210F53; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.5. http://www.directv.com/DTVAPP/content/gopaperless previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/gopaperless

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=42CCA3774732BE97157776A7191A06FD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.6. http://www.directv.com/DTVAPP/content/my_account/upgrade previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/my_account/upgrade

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=C790578F479C0F77C58CBEBD86378500; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.7. http://www.directv.com/DTVAPP/content/support/customer_promise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/customer_promise

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=26FE1D6B4B4D32EC8ED7CAAE0E971CDD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.8. http://www.directv.com/DTVAPP/content/support/tools previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/tools

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=4958444B4DCC16F5965F4187715CE055; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.9. http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/technology/mobile_apps/dvr_scheduler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=3D9FB3114773C54F5D0FD79131BFED33; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.10. http://www.directv.com/DTVAPP/content/visa previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/visa

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=F0F410584DA608CF1C8954BE21725797; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.11. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=7519CC1E46B86B061A240ABA29FE0BAA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.12. http://www.directv.com/DTVAPP/login/login.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/login/login.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=7EBA5054476F2DF20A056395E22AC369; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /DTVAPP/login/login.jsp HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: https://www.directv.com:443/DTVAPP/login/login.jsp
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=7EBA5054476F2DF20A056395E22AC369; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:03 GMT

3.13. http://www.directv.com/DTVAPP/new_customer/base_packages.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/new_customer/base_packages.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=68F772A944EF115D6AA7B1A5EA429947; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.14. http://www.directv.com/DTVAPP/referral/referralProgram.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/referral/referralProgram.jsp

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=1CEB9D56487009D406025293F7DBED12; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.15. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=5EFD9917458289AD14988E9A0E554EA6; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4209
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 19:42:04 GMT
Accept-Ranges: bytes
ETag: "0ef8b5dbefcb1:277c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=5EFD9917458289AD14988E9A0E554EA6; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:33 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.16. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=A42062E3445DB2C5AF3F3DA8E636101B; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4812
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 19:42:05 GMT
Accept-Ranges: bytes
ETag: "80a490b6dbefcb1:28d0"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=A42062E3445DB2C5AF3F3DA8E636101B; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:34 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.17. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=DFD459B640078100B6235EA3DB22ED2E; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3149
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 19:42:05 GMT
Accept-Ranges: bytes
ETag: "80a490b6dbefcb1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=DFD459B640078100B6235EA3DB22ED2E; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:33 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.18. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=6C1CB2724ED5604E28C50ABF75613789; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3454
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 19:42:05 GMT
Accept-Ranges: bytes
ETag: "80a490b6dbefcb1:277c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=6C1CB2724ED5604E28C50ABF75613789; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:33 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.19. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=420B7FA34142CC65C02161B78920E3AA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4566
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 22:34:45 GMT
Accept-Ranges: bytes
ETag: "80309bd5f3efcb1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=420B7FA34142CC65C02161B78920E3AA; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:33 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.20. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=EA4FA36B41FC54F7323DD998316D3640; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2045BD924ADE93AC8744BE987162555F
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4580
Content-Type: image/png
Last-Modified: Thu, 31 Mar 2011 22:34:45 GMT
Accept-Ranges: bytes
ETag: "80309bd5f3efcb1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=EA4FA36B41FC54F7323DD998316D3640; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:34 GMT

.PNG
.
...IHDR...X...D.............tEXtSoftware.Adobe ImageReadyq.e<...fiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.21. http://www.directv.com/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=98A146984DE9295F81AE7A89AB297B81; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/commercial/mdu/mdu_om_building_owners_residents.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7935D80B4CB33175A8679999FB610714
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1851
Content-Type: image/jpeg
Last-Modified: Wed, 17 Feb 2010 17:34:54 GMT
Accept-Ranges: bytes
ETag: "033284f7afca1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=98A146984DE9295F81AE7A89AB297B81; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:31 GMT

......JFIF.....d.d......Ducky.......F......Adobe.d......................................
. .

.....
...........................

.............................................................&.}..
...[SNIP]...

3.22. http://www.directv.com/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=5D5A5AE64653402607A403A3CC1F3FCA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 26664
Content-Type: image/jpeg
Last-Modified: Mon, 07 Nov 2011 20:28:03 GMT
Accept-Ranges: bytes
ETag: "80cbc0bf8b9dcc1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=5D5A5AE64653402607A403A3CC1F3FCA; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:29 GMT

......Exif..II*.................Ducky.......A.....ohttp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.23. http://www.directv.com/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=5689486C4220DAB39A86E9A9A821F473; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__arrow_alert_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1265
Content-Type: image/png
Last-Modified: Mon, 18 May 2009 17:11:43 GMT
Accept-Ranges: bytes
ETag: "80314fb7dbd7c91:277c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=5689486C4220DAB39A86E9A9A821F473; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:06 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...kh.U...........D.X..M...VKQ......P..*.*Tl?.E.O*~..HQ..,.E..Qj.b..BL... ~....W..}..^...k73..iw....3.w~.?..{g.0......y..
...[SNIP]...

3.24. http://www.directv.com/cms2/global/icons/lg_cl_blu__check_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__check_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=A5684127458B85794646E1ABE75F8E11; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__check_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1356
Content-Type: image/png
Last-Modified: Mon, 18 May 2009 17:11:43 GMT
Accept-Ranges: bytes
ETag: "80314fb7dbd7c91:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=A5684127458B85794646E1ABE75F8E11; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:05 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...kl.U...<...m..........01FbL.(.hB$.T..%..1~..F..!..1..!Z@l0$&....Pij.*u."j...6..m..fw.z.....................s....!.....
...[SNIP]...

3.25. http://www.directv.com/cms2/global/icons/lg_cl_blu__cinema_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__cinema_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=7F1BDB3A46AC3FCD4AAF0CA5C5B0437F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__cinema_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2E9ECD0C4B502CDE246C379391DADD54
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1612
Content-Type: image/png
Last-Modified: Wed, 11 Aug 2010 22:04:49 GMT
Accept-Ranges: bytes
ETag: "80564537a139cb1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=7F1BDB3A46AC3FCD4AAF0CA5C5B0437F; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:18 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Y{.TU.....gGg_....`..-S.D.-1.h.DC+*E,.........e.E.......?B..j:.+.5..>vggw^;..u...Y.u....fs.o.q....9.........1.+[y(..f)a
...[SNIP]...

3.26. http://www.directv.com/cms2/global/icons/lg_cl_blu__my_account_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__my_account_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=5F6573E7416E5124B830C1A72DA9A665; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__my_account_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1399
Content-Type: image/png
Last-Modified: Mon, 18 May 2009 17:11:44 GMT
Accept-Ranges: bytes
ETag: "0c8e7b7dbd7c91:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=5F6573E7416E5124B830C1A72DA9A665; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:05 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...[h.U......-.K.....PJk#..Z$Rb...X.7...R.`."..[}.A(.U)...j+...>X...hc%m@HlsY.$..l6{..9..l6......M...s.d...;...s...R0...
...[SNIP]...

3.27. http://www.directv.com/cms2/global/icons/lg_cl_blu__tv.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__tv.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=54683FFC40AE6036B7A652B4D23F8205; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__tv.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1254
Content-Type: image/png
Last-Modified: Wed, 01 Sep 2010 17:34:18 GMT
Accept-Ranges: bytes
ETag: "0984e7fb49cb1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=54683FFC40AE6036B7A652B4D23F8205; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:02 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..._h[U....K..iS..nN*Rd.........O".E..l......n
C.):..>.
...........U..?...u.m..I.....&.u........./7..?..;..;'.0........
...[SNIP]...

3.28. http://www.directv.com/cms2/global/icons/lg_cl_blu__tv_guide_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__tv_guide_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=46340B1643C49535388092B9DCAD9840; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_blu__tv_guide_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/my_account/upgrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7482D73842913A2373E6DD8CFEF84850
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1006
Content-Type: image/png
Last-Modified: Mon, 18 May 2009 17:11:45 GMT
Accept-Ranges: bytes
ETag: "805e80b8dbd7c91:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=46340B1643C49535388092B9DCAD9840; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:23 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx....O.A......-........b.......z.`B..`.....?...CT.z0...h<....(.B.M......aigwf|.n..V.]Y...<f.....w..Y."..Bv.s.........&.k.
...[SNIP]...

3.29. http://www.directv.com/cms2/global/icons/lg_cl_gry__information_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_gry__information_icon.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=736A280C41A23B8C4726DFA45CDE41BF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/icons/lg_cl_gry__information_icon.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=DF2822CC4F2FBCB299385A812884F442
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1444
Content-Type: image/png
Last-Modified: Thu, 11 Nov 2010 16:58:14 GMT
Accept-Ranges: bytes
ETag: "0170a1c181cb1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=736A280C41A23B8C4726DFA45CDE41BF; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:06 GMT

.PNG
.
...IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<...FIDATx...YO.W...m<...@....h......K.*.)m
/T.C.B..[...P).>.@.&.[..o.....,....E... ...l.L.....c...(....v.=.9>w....J...../...P.(.n.
...[SNIP]...

3.30. http://www.directv.com/cms2/global/js/cinema_countdown_header_update_myDTV.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/cinema_countdown_header_update_myDTV.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=62285F514542893C6116CE9364155F48; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/js/cinema_countdown_header_update_myDTV.js HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1721
Content-Type: application/x-javascript
Last-Modified: Wed, 21 Dec 2011 21:23:35 GMT
Accept-Ranges: bytes
ETag: "80a5f4cb26c0cc1:277c"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=62285F514542893C6116CE9364155F48; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:00 GMT

// JavaScript Document

Event.observe(window, 'load', function() {
dateFuture = new Date("January 1, 2012");
   GetCount();

function GetCount(){
    dateNow = new Date();
    daysLeft = dateFu
...[SNIP]...

3.31. http://www.directv.com/cms2/global/js/countdown_text.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/countdown_text.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=FD59A09448E00FA833DCC9A821604342; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/js/countdown_text.js HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2E9ECD0C4B502CDE246C379391DADD54
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3294
Content-Type: application/x-javascript
Last-Modified: Tue, 20 Dec 2011 22:16:14 GMT
Accept-Ranges: bytes
ETag: "0b74fc64bfcc1:32b7"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=FD59A09448E00FA833DCC9A821604342; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:18 GMT

// JavaScript Document

dateFuture1 = new Date(2011,11,31,23,59,59);
/*dateFuture2 = new Date(2011,9,05,20,00,00);*/

function GetCount(ddate,iid){

dateNow = new Date(); //grab current date

...[SNIP]...

3.32. http://www.directv.com/cms2/global/js/ufc_countdown.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/ufc_countdown.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=F84FA8F74576322CAB91C0B8383619AC; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/global/js/ufc_countdown.js HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/events
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=EDC42B7941D27E4C27A1319BFC0C7932
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3151
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Dec 2011 00:02:17 GMT
Accept-Ranges: bytes
ETag: "80abaa53cb5cc1:27e7"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=F84FA8F74576322CAB91C0B8383619AC; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:09 GMT

Event.observe(window, 'load', function () {
preload_numbers();
updateTimer_ppv();
if (navigator.userAgent.toLowerCase().indexOf("firefox") > -1 && navigator.userAgent.toLowerCase().indexOf
...[SNIP]...

3.33. http://www.directv.com/cms2/homepage/images/img_PRHP__ACSI.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/homepage/images/img_PRHP__ACSI.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=E4FE376443CB8CE3BB0A5C93F04E01B7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/homepage/images/img_PRHP__ACSI.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=2E9ECD0C4B502CDE246C379391DADD54
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 38792
Content-Type: image/jpeg
Last-Modified: Sat, 24 Sep 2011 01:27:16 GMT
Accept-Ranges: bytes
ETag: "072fc17597acc1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=E4FE376443CB8CE3BB0A5C93F04E01B7; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:19 GMT

......Exif..II*.................Ducky.......F.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.34. http://www.directv.com/cms2/my_directv/general/banner_upsell__upgrade.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/general/banner_upsell__upgrade.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=B58A90364F6EC3846B8C29BD67EDEE75; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/my_directv/general/banner_upsell__upgrade.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 35340
Content-Type: image/jpeg
Last-Modified: Mon, 28 Nov 2011 20:27:16 GMT
Accept-Ranges: bytes
ETag: "0ea691ecaecc1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=B58A90364F6EC3846B8C29BD67EDEE75; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:02 GMT

......Exif..II*.................Ducky.......A.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.35. http://www.directv.com/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=6BFB5C07497C4A13461491B0479650BC; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 53096
Content-Type: image/jpeg
Last-Modified: Wed, 21 Dec 2011 15:17:38 GMT
Accept-Ranges: bytes
ETag: "05590acf3bfcc1:28d0"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=6BFB5C07497C4A13461491B0479650BC; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:01 GMT

......Exif..II*.................Ducky.......K.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.36. http://www.directv.com/cms2/my_directv/my_directv/my_directv.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/my_directv/my_directv.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=803CEB7D493EF335C6BE87A76144A446; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/my_directv/my_directv/my_directv.js HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=56341448423E8CFE9A519295F6399ED4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 351
Content-Type: application/x-javascript
Last-Modified: Wed, 30 Nov 2011 17:16:20 GMT
Accept-Ranges: bytes
ETag: "08aeec683afcc1:27e7"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=803CEB7D493EF335C6BE87A76144A446; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:01 GMT

document.observe("dom:loaded", function() {

new Element('div').appendTo('ctl_header').addClassName('my_dtv-beta-icon');
new Element('div').appendTo('ctl_header').addClassName('my-dtv-header-tag'
...[SNIP]...

3.37. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=DCEDCE4F4EFB479D051196BDDA471FF3; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 26922
Content-Type: image/jpeg
Last-Modified: Tue, 20 Dec 2011 19:03:18 GMT
Accept-Ranges: bytes
ETag: "09f9e84abfcc1:277c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=DCEDCE4F4EFB479D051196BDDA471FF3; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:26 GMT

......Exif..II*.................Ducky.......<.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.38. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=6B7DB8AA4129E0CDF53279B7444B14D9; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4623
Content-Type: image/png
Last-Modified: Wed, 30 Nov 2011 16:22:35 GMT
Accept-Ranges: bytes
ETag: "8097ae447cafcc1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=6B7DB8AA4129E0CDF53279B7444B14D9; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:26 GMT

.PNG
.
...IHDR...+...P.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.39. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=C4F2C54845D852986E4B5A9233B7CD26; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 4638
Content-Type: image/png
Last-Modified: Fri, 02 Dec 2011 17:02:09 GMT
Accept-Ranges: bytes
ETag: "80be852014b1cc1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=C4F2C54845D852986E4B5A9233B7CD26; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:27 GMT

.PNG
.
...IHDR...+...P.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.40. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_tag.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_tag.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=C2B481974D5B5D8A60241B8FB6E841E1; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/offer/2011_Q4/PRHP/holiday_tag.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 5349
Content-Type: image/png
Last-Modified: Tue, 20 Dec 2011 20:03:22 GMT
Accept-Ranges: bytes
ETag: "061c56c52bfcc1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=C2B481974D5B5D8A60241B8FB6E841E1; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:27 GMT

.PNG
.
...IHDR..."...}.............tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.41. http://www.directv.com/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=A81FF222442CC85518E97EB89174D5B8; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 63503
Content-Type: image/jpeg
Last-Modified: Tue, 20 Dec 2011 19:59:45 GMT
Accept-Ranges: bytes
ETag: "80ce6deb51bfcc1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=A81FF222442CC85518E97EB89174D5B8; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:26 GMT

......Exif..II*.................Ducky.......<.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.42. http://www.directv.com/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=D7A13D4240AC2BA3FB462F8E8039F9C8; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 9604
Content-Type: image/jpeg
Last-Modified: Tue, 13 Sep 2011 18:17:08 GMT
Accept-Ranges: bytes
ETag: "0aa16594172cc1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=D7A13D4240AC2BA3FB462F8E8039F9C8; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:30 GMT

......Exif..II*.................Ducky.......A.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.43. http://www.directv.com/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=842D186B4C1716AEB091DDB998337D38; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 9321
Content-Type: image/jpeg
Last-Modified: Tue, 13 Sep 2011 18:17:10 GMT
Accept-Ranges: bytes
ETag: "0d7475a4172cc1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=842D186B4C1716AEB091DDB998337D38; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:29 GMT

......Exif..II*.................Ducky.......A.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.44. http://www.directv.com/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=1B693BEB459A467BE82DEDB62776490A; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 7012
Content-Type: image/jpeg
Last-Modified: Tue, 13 Sep 2011 18:17:11 GMT
Accept-Ranges: bytes
ETag: "806de05a4172cc1:28d0"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=1B693BEB459A467BE82DEDB62776490A; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:28 GMT

......Exif..II*.................Ducky.......A.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.45. http://www.directv.com/cms2/product_catalog/browse_packages/includes.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/includes.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=3B296E5E498AD4461CB3EE9F1C7E7207; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/product_catalog/browse_packages/includes.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 895
Content-Type: image/png
Last-Modified: Thu, 24 Sep 2009 16:16:49 GMT
Accept-Ranges: bytes
ETag: "806e386b323dca1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=3B296E5E498AD4461CB3EE9F1C7E7207; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:28 GMT

.PNG
.
...IHDR.............`.'.....tEXtSoftware.Adobe ImageReadyq.e<....PLTE333iii............AAA......NNN......www......\\\..........................................................................
...[SNIP]...

3.46. http://www.directv.com/cms2/product_catalog/get_DIRECTV.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/get_DIRECTV.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=C167E6A14C6B9E63AC1EE68F86C3251D; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/product_catalog/get_DIRECTV.gif HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/contentPage.jsp?_DARGS=/DTVAPP/layout/component/topnav.jsp_A&_DAV=2&_dynSessConf=-167242439233036722&assetId=P6610034
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7935D80B4CB33175A8679999FB610714
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3389
Content-Type: image/gif
Last-Modified: Wed, 26 Jan 2011 00:29:23 GMT
Accept-Ranges: bytes
ETag: "80f35c14f0bccb1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=C167E6A14C6B9E63AC1EE68F86C3251D; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:31 GMT

GIF89aD.&.........A%k.A..I...-M.Bk...=..AWq.|.L..<.....1v.......%........q..e.....r...[.....g............(1.....[........2.....;...g.
a.l..-.."|.Jc|A..F....6.......k.>......}.;.. Mzl...X.\............
...[SNIP]...

3.47. http://www.directv.com/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=0443B43B4312D06E514E598801EA279A; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; ASPSESSIONIDAQAASQBC=ONHHOPDAHLJCBPCKMGMCPFNL; TLTHID=845984FE409F9405C0F8AB8AAC6E8FC4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 2046
Content-Type: image/gif
Last-Modified: Tue, 08 Sep 2009 20:22:55 GMT
Accept-Ranges: bytes
ETag: "8039d525c230ca1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=0443B43B4312D06E514E598801EA279A; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:59 GMT

GIF89a}.).......vz}..................quxmqu...tx|{...tx{.........jnrotww{~uy|...rwzafj...x|................!.......,....}.).....0(.!.h..l..p,.pT..gQA....pH,...dr3.(...t..d6..v..>...x.l4...z.F;......
...[SNIP]...

3.48. http://www.directv.com/cms2/support/my_account/btn__Add_now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/my_account/btn__Add_now.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=2B7DE8B748C8D59F9D32BC91FB5EC372; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/support/my_account/btn__Add_now.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/my_account/upgrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7482D73842913A2373E6DD8CFEF84850
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3086
Content-Type: image/png
Last-Modified: Mon, 14 Dec 2009 21:25:07 GMT
Accept-Ranges: bytes
ETag: "80fb58e837dca1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=2B7DE8B748C8D59F9D32BC91FB5EC372; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:31 GMT

.PNG
.
...IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b..y...2.x..u.. Ve.....l.@".{.`Uy.Y....{.'......C.
...Y0....... .J.M...q...3...#4..3P.02............l..XU...2...3.p23L
...[SNIP]...

3.49. http://www.directv.com/cms2/support/my_account/btn__Upgrade_now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/my_account/btn__Upgrade_now.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=9CAF26964D0B4F44F5DB07BF824DA4CD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/support/my_account/btn__Upgrade_now.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/my_account/upgrade
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7482D73842913A2373E6DD8CFEF84850
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 3589
Content-Type: image/png
Last-Modified: Mon, 14 Dec 2009 21:25:07 GMT
Accept-Ranges: bytes
ETag: "80fb58e837dca1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=9CAF26964D0B4F44F5DB07BF824DA4CD; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:32 GMT

.PNG
.
...IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<...IDATx.b...?.............|O.Ue..y........}.....0C../...<.|,.pqd.....k...j.....b...~.T._..[..Aw.=.N]u..V..... F.#_.._=........
...[SNIP]...

3.50. http://www.directv.com/cms2/support/paperless_help_the_environment.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/paperless_help_the_environment.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=3BE6BB23455A9F439D7F91BA6DBDC125; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/support/paperless_help_the_environment.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/gopaperless
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=26FE1D6B4B4D32EC8ED7CAAE0E971CDD
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 9919
Content-Type: image/png
Last-Modified: Fri, 04 Nov 2011 17:07:06 GMT
Accept-Ranges: bytes
ETag: "059fb2d149bcc1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=3BE6BB23455A9F439D7F91BA6DBDC125; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:49 GMT

.PNG
.
...IHDR.............n.......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
...[SNIP]...

3.51. http://www.directv.com/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=07CFC6B343FA9439B78EE3B65C30ACA7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/entertainment/events
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=EDC42B7941D27E4C27A1319BFC0C7932
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 48685
Content-Type: image/jpeg
Last-Modified: Tue, 25 Oct 2011 20:42:28 GMT
Accept-Ranges: bytes
ETag: "092f69b5693cc1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=07CFC6B343FA9439B78EE3B65C30ACA7; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:12 GMT

......Exif..II*.................Ducky.......A.....ohttp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.52. http://www.directv.com/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=7BA1F260480107949A952BA61FB28050; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; ASPSESSIONIDAQAASQBC=ONHHOPDAHLJCBPCKMGMCPFNL; TLTHID=845984FE409F9405C0F8AB8AAC6E8FC4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1881
Content-Type: image/gif
Last-Modified: Tue, 09 Nov 2010 22:49:22 GMT
Accept-Ranges: bytes
ETag: "045ae596080cb1:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=7BA1F260480107949A952BA61FB28050; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:59 GMT

GIF89a..*.......Z.-............j.E....q.....)w.V..hk.G...e.>!.......,......*....P.I.......`(.di.h
"
..n..r..vN..R..ph....b.Id*..&t
u.Y...v..fZ.l.h<...z.f..F...V..t;}.V...X4\8:_;.7.>..{..yzmuQr~.q~.x
...[SNIP]...

3.53. http://www.directv.com/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=798E1FE7458EB656F0066AAB654C788F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; ASPSESSIONIDAQAASQBC=ONHHOPDAHLJCBPCKMGMCPFNL; TLTHID=845984FE409F9405C0F8AB8AAC6E8FC4
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 1312
Content-Type: image/png
Last-Modified: Fri, 10 Dec 2010 17:13:03 GMT
Accept-Ranges: bytes
ETag: "8079dd808d98cb1:32b7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=798E1FE7458EB656F0066AAB654C788F; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:59 GMT

.PNG
.
...IHDR...z..........j.}....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..XWK$Y.>......Y...........".'q...,;..?V..EP.QDA|.s..0aB.VT0.:....5..=m.>.4....[u..'....&.......U.(..N8..,._....F..sXX.yy
...[SNIP]...

3.54. http://www.directv.com/dvrscheduler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/dvrscheduler

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=8BB157B04CF01ADB1BA492AE2EA9DAFD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dvrscheduler HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=F0F410584DA608CF1C8954BE21725797
Content-Length: 10

Response

HTTP/1.1 301 Moved Permanently
Content-Length: 159
Content-Type: text/html
Location: http://www.directv.com/dvrscheduler/
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=8BB157B04CF01ADB1BA492AE2EA9DAFD; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:54 GMT

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.directv.com/dvrscheduler/">here</a></body>

3.55. http://www.directv.com/dvrscheduler/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/dvrscheduler/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=31CC6AD64FDF5AD63292F7B9AC914520; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /dvrscheduler/ HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/content/My_Account
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=4FDBB7DE4EF2A854623D29B68A156AD5
Content-Length: 10

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 173
Content-Type: text/html
Location: /DTVAPP/content/technology/mobile_apps/dvr_scheduler
Server: Microsoft-IIS/6.0
Set-Cookie: ASPSESSIONIDQQAATTDB=HGHFAAEAMJIPEIAHEBADOEFD; path=/
Set-Cookie: TLTHID=31CC6AD64FDF5AD63292F7B9AC914520; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:39:54 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/DTVAPP/content/technology/mobile_apps/dvr_scheduler">here</a>.</body>

3.56. http://www.directv.com/entertainment previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=1E328B544ABA74F46844BCA12FDE5AA7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /entertainment HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=F59A4F424ABFE9383634D5BFB0958F83
Content-Length: 10

Response

HTTP/1.1 302 Moved Temporarily
Location: http://www.directv.com/entertainment/
Server: Microsoft-IIS/6.0
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=1E328B544ABA74F46844BCA12FDE5AA7; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:58 GMT
Content-Length: 269

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www.directv.com/entertainme
...[SNIP]...

3.57. http://www.directv.com/entertainment/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=5AD7774A412F0353D1DA0AABEA1B5A31; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.58. http://www.directv.com/entertainment/browse/movies/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/browse/movies/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=59CD4A6A40B6278E06AF72B4DA0B60B4; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.59. http://www.directv.com/entertainment/events previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/events

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=0EF56C794BA5AC01894E50B0A2606299; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.60. http://www.directv.com/entertainment/guide previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/guide

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=B64EB0E2436934961CCBD78F52229463; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

3.61. http://www.directv.com/images/content/themes/default/list_bullet.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/content/themes/default/list_bullet.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=B561A43D460A3A79371965891C3805DF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/content/themes/default/list_bullet.png HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 171
Content-Type: image/png
Last-Modified: Tue, 23 Jun 2009 18:28:23 GMT
Accept-Ranges: bytes
ETag: "807dfe6330f4c91:15979c"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=B561A43D460A3A79371965891C3805DF; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:29 GMT

.PNG
.
...IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<....PLTE......T.............tRNS....@*.....%IDATx.$.......0...j..U>%..TEu..x.....`.mi.i.....IEND.B`.

3.62. http://www.directv.com/images/epod/epod_expandable_MRV.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_MRV.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=296FC4684B0D8022DD363CA060C1BEDF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/epod/epod_expandable_MRV.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 17923
Content-Type: image/jpeg
Last-Modified: Thu, 18 Aug 2011 18:19:31 GMT
Accept-Ranges: bytes
ETag: "803b955fd35dcc1:8677a"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=296FC4684B0D8022DD363CA060C1BEDF; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:31 GMT

......Exif..II*.................Ducky.......A.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.63. http://www.directv.com/images/epod/epod_expandable_promise.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_promise.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=D9D83426404194CAEC1ACBB7CA24535F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/epod/epod_expandable_promise.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 16277
Content-Type: image/jpeg
Last-Modified: Tue, 12 Apr 2011 19:18:32 GMT
Accept-Ranges: bytes
ETag: "0f44e6946f9cb1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=D9D83426404194CAEC1ACBB7CA24535F; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:31 GMT

......Exif..II*.................Ducky.......A.....ohttp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

3.64. http://www.directv.com/images/epod/epod_expandable_receivers.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_receivers.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

TLTHID=63E187044006221DED77B0AA76B8DBF4; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /images/epod/epod_expandable_receivers.jpg HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=269532D34E60A9802D1544AF29B86F8A
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Length: 20475
Content-Type: image/jpeg
Last-Modified: Wed, 30 Nov 2011 16:35:17 GMT
Accept-Ranges: bytes
ETag: "8090dea7eafcc1:27e7"
Server: Microsoft-IIS/6.0
Set-Cookie: TLTHID=63E187044006221DED77B0AA76B8DBF4; Path=/; Domain=.directv.com
Date: Thu, 29 Dec 2011 16:38:30 GMT

......Exif..II*.................Ducky.......7.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c0
...[SNIP]...

4. Cookie without HttpOnly flag set previous next
There are 64 instances of this issue:

/
/DTVAPP/index.jsp
/dvrscheduler/
/DTVAPP/content/My_Account
/DTVAPP/content/contentPage.jsp
/DTVAPP/content/gopaperless
/DTVAPP/content/my_account/upgrade
/DTVAPP/content/support/customer_promise
/DTVAPP/content/support/tools
/DTVAPP/content/technology/mobile_apps/dvr_scheduler
/DTVAPP/content/visa
/DTVAPP/global/findRetailer.jsp
/DTVAPP/login/login.jsp
/DTVAPP/new_customer/base_packages.jsp
/DTVAPP/referral/referralProgram.jsp
/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png
/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png
/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg
/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg
/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png
/cms2/global/icons/lg_cl_blu__check_icon.png
/cms2/global/icons/lg_cl_blu__cinema_icon.png
/cms2/global/icons/lg_cl_blu__my_account_icon.png
/cms2/global/icons/lg_cl_blu__tv.png
/cms2/global/icons/lg_cl_blu__tv_guide_icon.png
/cms2/global/icons/lg_cl_gry__information_icon.png
/cms2/global/js/cinema_countdown_header_update_myDTV.js
/cms2/global/js/countdown_text.js
/cms2/global/js/ufc_countdown.js
/cms2/homepage/images/img_PRHP__ACSI.jpg
/cms2/my_directv/general/banner_upsell__upgrade.jpg
/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg
/cms2/my_directv/my_directv/my_directv.js
/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg
/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png
/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png
/cms2/offer/2011_Q4/PRHP/holiday_tag.png
/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg
/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg
/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg
/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg
/cms2/product_catalog/browse_packages/includes.png
/cms2/product_catalog/get_DIRECTV.gif
/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif
/cms2/support/my_account/btn__Add_now.png
/cms2/support/my_account/btn__Upgrade_now.png
/cms2/support/paperless_help_the_environment.png
/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg
/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif
/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png
/dvrscheduler
/entertainment
/entertainment/
/entertainment/browse/movies/
/entertainment/events
/entertainment/guide
/images/content/themes/default/list_bullet.png
/images/epod/epod_expandable_MRV.jpg
/images/epod/epod_expandable_promise.jpg
/images/epod/epod_expandable_receivers.jpg

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

4.1. http://www.directv.com/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.directv.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASPSESSIONIDQCACRSDB=BOPMPPDAEFFCKPEINFAHOFKM; path=/
TLTHID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com
TLTSID=D936ACF54E63725C04B2AA83253F45A9; Path=/; Domain=.directv.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

4.2. http://www.directv.com/DTVAPP/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.directv.com
Path:	/DTVAPP/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=znHPT8XYhJvnkL5wh3lxwHGXLkDDGWk7hcX8W5wN1Zm3DCjzmSvW!1211856460; domain=.directv.com; path=/
GL=en_US; domain=.directv.com; expires=Tue, 16-Jan-2080 19:52:23 GMT; path=/
TLTHID=20362C6049D2E0B40BE63F9E61F927CE; Path=/; Domain=.directv.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

4.3. http://www.directv.com/dvrscheduler/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.directv.com
Path:	/dvrscheduler/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

ASPSESSIONIDQQAATTDB=HGHFAAEAMJIPEIAHEBADOEFD; path=/
TLTHID=31CC6AD64FDF5AD63292F7B9AC914520; Path=/; Domain=.directv.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

4.4. http://www.directv.com/DTVAPP/content/My_Account previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/My_Account

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=46388B4B46FD94F253690ABE1BE5BDF6; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.5. http://www.directv.com/DTVAPP/content/contentPage.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/contentPage.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=1ED3D66D4215D67096B49EB663210F53; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.6. http://www.directv.com/DTVAPP/content/gopaperless previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/gopaperless

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=42CCA3774732BE97157776A7191A06FD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.7. http://www.directv.com/DTVAPP/content/my_account/upgrade previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/my_account/upgrade

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=C790578F479C0F77C58CBEBD86378500; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.8. http://www.directv.com/DTVAPP/content/support/customer_promise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/customer_promise

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=26FE1D6B4B4D32EC8ED7CAAE0E971CDD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.9. http://www.directv.com/DTVAPP/content/support/tools previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/tools

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=4958444B4DCC16F5965F4187715CE055; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.10. http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/technology/mobile_apps/dvr_scheduler

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=3D9FB3114773C54F5D0FD79131BFED33; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.11. http://www.directv.com/DTVAPP/content/visa previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/visa

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=F0F410584DA608CF1C8954BE21725797; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.12. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=7519CC1E46B86B061A240ABA29FE0BAA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.13. http://www.directv.com/DTVAPP/login/login.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/login/login.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=7EBA5054476F2DF20A056395E22AC369; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.14. http://www.directv.com/DTVAPP/new_customer/base_packages.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/new_customer/base_packages.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=68F772A944EF115D6AA7B1A5EA429947; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.15. http://www.directv.com/DTVAPP/referral/referralProgram.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/referral/referralProgram.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=1CEB9D56487009D406025293F7DBED12; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.16. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__bars_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=5EFD9917458289AD14988E9A0E554EA6; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.17. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__dorms_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=A42062E3445DB2C5AF3F3DA8E636101B; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.18. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__hospitals_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=DFD459B640078100B6235EA3DB22ED2E; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.19. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__hotels_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=6C1CB2724ED5604E28C50ABF75613789; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.20. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__offices_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=420B7FA34142CC65C02161B78920E3AA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.21. http://www.directv.com/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/CommercialRedesign/sm_icon__shops_gyms_commercial.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=EA4FA36B41FC54F7323DD998316D3640; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.22. http://www.directv.com/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/commercial/mdu/mdu_om_building_owners_residents.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=98A146984DE9295F81AE7A89AB297B81; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.23. http://www.directv.com/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/equipment/mrv/cutting_edge_art_wMRV_House.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=5D5A5AE64653402607A403A3CC1F3FCA; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.24. http://www.directv.com/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__arrow_alert_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=5689486C4220DAB39A86E9A9A821F473; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.25. http://www.directv.com/cms2/global/icons/lg_cl_blu__check_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__check_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=A5684127458B85794646E1ABE75F8E11; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.26. http://www.directv.com/cms2/global/icons/lg_cl_blu__cinema_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__cinema_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=7F1BDB3A46AC3FCD4AAF0CA5C5B0437F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.27. http://www.directv.com/cms2/global/icons/lg_cl_blu__my_account_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__my_account_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=5F6573E7416E5124B830C1A72DA9A665; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.28. http://www.directv.com/cms2/global/icons/lg_cl_blu__tv.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__tv.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=54683FFC40AE6036B7A652B4D23F8205; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.29. http://www.directv.com/cms2/global/icons/lg_cl_blu__tv_guide_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_blu__tv_guide_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=46340B1643C49535388092B9DCAD9840; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.30. http://www.directv.com/cms2/global/icons/lg_cl_gry__information_icon.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/icons/lg_cl_gry__information_icon.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=736A280C41A23B8C4726DFA45CDE41BF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.31. http://www.directv.com/cms2/global/js/cinema_countdown_header_update_myDTV.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/cinema_countdown_header_update_myDTV.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=62285F514542893C6116CE9364155F48; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.32. http://www.directv.com/cms2/global/js/countdown_text.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/countdown_text.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=FD59A09448E00FA833DCC9A821604342; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.33. http://www.directv.com/cms2/global/js/ufc_countdown.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/global/js/ufc_countdown.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=F84FA8F74576322CAB91C0B8383619AC; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.34. http://www.directv.com/cms2/homepage/images/img_PRHP__ACSI.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/homepage/images/img_PRHP__ACSI.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=E4FE376443CB8CE3BB0A5C93F04E01B7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.35. http://www.directv.com/cms2/my_directv/general/banner_upsell__upgrade.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/general/banner_upsell__upgrade.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=B58A90364F6EC3846B8C29BD67EDEE75; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.36. http://www.directv.com/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/movies/201112/bnr_3col__DIRECTV_CINEMA_countdown.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=6BFB5C07497C4A13461491B0479650BC; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.37. http://www.directv.com/cms2/my_directv/my_directv/my_directv.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/my_directv/my_directv/my_directv.js

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=803CEB7D493EF335C6BE87A76144A446; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.38. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_countdown.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=DCEDCE4F4EFB479D051196BDDA471FF3; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.39. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_ribbon_left.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=6B7DB8AA4129E0CDF53279B7444B14D9; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.40. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_ribbon_right.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=C4F2C54845D852986E4B5A9233B7CD26; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.41. http://www.directv.com/cms2/offer/2011_Q4/PRHP/holiday_tag.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/PRHP/holiday_tag.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=C2B481974D5B5D8A60241B8FB6E841E1; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.42. http://www.directv.com/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/offer/2011_Q4/packages/sm_hdr__120211_Lantern_GM.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=A81FF222442CC85518E97EB89174D5B8; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.43. http://www.directv.com/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/four_free_upgrades_hd_dvr_3_hd_receivers.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=D7A13D4240AC2BA3FB462F8E8039F9C8; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.44. http://www.directv.com/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/free_hd_dvr_3_hd_receivers_Q411_4col.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=842D186B4C1716AEB091DDB998337D38; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.45. http://www.directv.com/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/free_hd_dvr_or_hdDVR_receiver_Q411_4col.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=1B693BEB459A467BE82DEDB62776490A; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.46. http://www.directv.com/cms2/product_catalog/browse_packages/includes.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/browse_packages/includes.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=3B296E5E498AD4461CB3EE9F1C7E7207; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.47. http://www.directv.com/cms2/product_catalog/get_DIRECTV.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/product_catalog/get_DIRECTV.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=C167E6A14C6B9E63AC1EE68F86C3251D; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.48. http://www.directv.com/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/sports/nfl/Online/logo__DVR_Scheduler_iPhone_App.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=0443B43B4312D06E514E598801EA279A; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.49. http://www.directv.com/cms2/support/my_account/btn__Add_now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/my_account/btn__Add_now.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=2B7DE8B748C8D59F9D32BC91FB5EC372; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.50. http://www.directv.com/cms2/support/my_account/btn__Upgrade_now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/my_account/btn__Upgrade_now.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=9CAF26964D0B4F44F5DB07BF824DA4CD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.51. http://www.directv.com/cms2/support/paperless_help_the_environment.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/support/paperless_help_the_environment.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=3BE6BB23455A9F439D7F91BA6DBDC125; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.52. http://www.directv.com/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/technology/mobile_web/bnr__Mobile_Web_Events_dark.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=07CFC6B343FA9439B78EE3B65C30ACA7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.53. http://www.directv.com/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/what_is_directv/dvr/mobile_apps/logo__DVR_Scheduler_Windows7_App.gif

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=7BA1F260480107949A952BA61FB28050; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.54. http://www.directv.com/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/cms2/what_is_directv/exclusive/damages/site/btn__Damages_share.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=798E1FE7458EB656F0066AAB654C788F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.55. http://www.directv.com/dvrscheduler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/dvrscheduler

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=8BB157B04CF01ADB1BA492AE2EA9DAFD; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.56. http://www.directv.com/entertainment previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=1E328B544ABA74F46844BCA12FDE5AA7; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.57. http://www.directv.com/entertainment/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=5AD7774A412F0353D1DA0AABEA1B5A31; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.58. http://www.directv.com/entertainment/browse/movies/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/browse/movies/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=59CD4A6A40B6278E06AF72B4DA0B60B4; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.59. http://www.directv.com/entertainment/events previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/events

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=0EF56C794BA5AC01894E50B0A2606299; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.60. http://www.directv.com/entertainment/guide previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/guide

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=B64EB0E2436934961CCBD78F52229463; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.61. http://www.directv.com/images/content/themes/default/list_bullet.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/content/themes/default/list_bullet.png

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=B561A43D460A3A79371965891C3805DF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.62. http://www.directv.com/images/epod/epod_expandable_MRV.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_MRV.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=296FC4684B0D8022DD363CA060C1BEDF; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.63. http://www.directv.com/images/epod/epod_expandable_promise.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_promise.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=D9D83426404194CAEC1ACBB7CA24535F; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

4.64. http://www.directv.com/images/epod/epod_expandable_receivers.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/images/epod/epod_expandable_receivers.jpg

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

TLTHID=63E187044006221DED77B0AA76B8DBF4; Path=/; Domain=.directv.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

5. Cross-domain Referer leakage previous next
There are 3 instances of this issue:

/DTVAPP/content/contentPage.jsp
/DTVAPP/global/findRetailer.jsp
/DTVAPP/new_customer/base_packages.jsp

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behavior should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

5.1. http://www.directv.com/DTVAPP/content/contentPage.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/contentPage.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.directv.com/DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009

The response contains the following links to other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
http://fls.doubleclick.net/activityi;src=2558160;type=commeric;cat=main;ord=1;num=1?
http://twitter.com/directv
http://twitter.com/directvservice
http://www.directvadsales.com/
http://www.youtube.com/directv
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

GET /DTVAPP/content/contentPage.jsp?topnavtype=3&assetId=P6500009 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.directv.com/DTVAPP/index.jsp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=F466275C4BE192010EF837B06F001C95
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:38:32 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=977C5C924BD6B5213D5AECAC97765945; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 95825


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
<NOSCRIPT>
<IFRAME SRC="http://fls.doubleclick.net/activityi;src=2558160;type=commeric;cat=main;ord=1;num=1?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME>
...[SNIP]...
<li>
<a href="http://twitter.com/directv" target="_blank" id="footer_twitter_news" title="FIND OUT THE LATEST NEWS">FIND OUT THE LATEST NEWS
...[SNIP]...
<li>
<a href="http://twitter.com/directvservice" target="_blank" id="footer_twitter_tips" title="GET TIPS AND SUPPORT">GET TIPS AND SUPPORT
...[SNIP]...
<li>
<a href="http://www.youtube.com/directv" target="_blank" id="footer_youtube" title="WATCH THE LATEST VIDEOS">WATCH THE LATEST VIDEOS
...[SNIP]...
<li><a href="http://www.directvadsales.com/">Ad Sales</a>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

5.2. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.directv.com/DTVAPP/global/findRetailer.jsp?assetId=500016

The response contains the following links to other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
http://twitter.com/directv
http://twitter.com/directvservice
http://www.directv4schools.com/
http://www.directvadsales.com/
http://www.youtube.com/directv

Request

GET /DTVAPP/global/findRetailer.jsp?assetId=500016 HTTP/1.1
Host: www.directv.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: http://www.directv.com/DTVAPP/global/findRetailer.jsp?assetId=500016
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQCACRSDB=PNPMPPDALIBGALDPLEJLJMGM; TLTSID=37DE16AF4E75619C477135A1450BA9F6; JSESSIONID=dNPpT8XXvyGF2FJQKGCvRQzFpp12snRyjq1MCr2sDYH6Nk7yJcDT!1615800593; GL=en_US; TLTHID=7519CC1E46B86B061A240ABA29FE0BAA
Content-Length: 10

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:27 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=61DC0D2C4314F68990032F8C67684C86; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 58658

...[SNIP]...
<div class="promoImage"><a href="http://www.directv4schools.com/"><img src="http://cdn.directv.com/images/assets/home/rhr/RHR_dtv4schools.jpg" alt="">
...[SNIP]...
<li>
<a href="http://twitter.com/directv" target="_blank" id="footer_twitter_news" title="FIND OUT THE LATEST NEWS">FIND OUT THE LATEST NEWS
...[SNIP]...
<li>
<a href="http://twitter.com/directvservice" target="_blank" id="footer_twitter_tips" title="GET TIPS AND SUPPORT">GET TIPS AND SUPPORT
...[SNIP]...
<li>
<a href="http://www.youtube.com/directv" target="_blank" id="footer_youtube" title="WATCH THE LATEST VIDEOS">WATCH THE LATEST VIDEOS
...[SNIP]...
<li><a href="http://www.directvadsales.com/">Ad Sales</a>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

5.3. http://www.directv.com/DTVAPP/new_customer/base_packages.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/new_customer/base_packages.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.directv.com/DTVAPP/new_customer/base_packages.jsp?footernavtype=-1

The response contains the following links to other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
http://twitter.com/directv
http://twitter.com/directvservice
http://www.directvadsales.com/
http://www.youtube.com/directv
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:38:25 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=68F772A944EF115D6AA7B1A5EA429947; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 121439

...[SNIP]...
</script>
<script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
<li>
<a href="http://twitter.com/directv" target="_blank" id="footer_twitter_news" title="FIND OUT THE LATEST NEWS">FIND OUT THE LATEST NEWS
...[SNIP]...
<li>
<a href="http://twitter.com/directvservice" target="_blank" id="footer_twitter_tips" title="GET TIPS AND SUPPORT">GET TIPS AND SUPPORT
...[SNIP]...
<li>
<a href="http://www.youtube.com/directv" target="_blank" id="footer_youtube" title="WATCH THE LATEST VIDEOS">WATCH THE LATEST VIDEOS
...[SNIP]...
<li><a href="http://www.directvadsales.com/">Ad Sales</a>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6. Cross-domain script include previous next
There are 16 instances of this issue:

/DTVAPP/content/My_Account
/DTVAPP/content/contentPage.jsp
/DTVAPP/content/gopaperless
/DTVAPP/content/my_account/upgrade
/DTVAPP/content/support/customer_promise
/DTVAPP/content/support/tools
/DTVAPP/content/technology/mobile_apps/dvr_scheduler
/DTVAPP/content/visa
/DTVAPP/global/findRetailer.jsp
/DTVAPP/index.jsp
/DTVAPP/new_customer/base_packages.jsp
/DTVAPP/referral/referralProgram.jsp
/entertainment/
/entertainment/browse/movies/
/entertainment/events
/entertainment/guide

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfill, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

6.1. http://www.directv.com/DTVAPP/content/My_Account previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/My_Account

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:02 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=46388B4B46FD94F253690ABE1BE5BDF6; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 82079


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.2. http://www.directv.com/DTVAPP/content/contentPage.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/contentPage.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:38:30 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=1ED3D66D4215D67096B49EB663210F53; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 67979


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.3. http://www.directv.com/DTVAPP/content/gopaperless previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/gopaperless

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:28 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=42CCA3774732BE97157776A7191A06FD; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 70686


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.4. http://www.directv.com/DTVAPP/content/my_account/upgrade previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/my_account/upgrade

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:13 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=C790578F479C0F77C58CBEBD86378500; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 80527


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.5. http://www.directv.com/DTVAPP/content/support/customer_promise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/customer_promise

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:25 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=26FE1D6B4B4D32EC8ED7CAAE0E971CDD; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 71396


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.6. http://www.directv.com/DTVAPP/content/support/tools previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/support/tools

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:24 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=4958444B4DCC16F5965F4187715CE055; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 73568


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.7. http://www.directv.com/DTVAPP/content/technology/mobile_apps/dvr_scheduler previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/technology/mobile_apps/dvr_scheduler

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:48 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=3D9FB3114773C54F5D0FD79131BFED33; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 90232


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.8. http://www.directv.com/DTVAPP/content/visa previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/content/visa

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:29 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=F0F410584DA608CF1C8954BE21725797; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 70896


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.9. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js

Request

Response

6.10. http://www.directv.com/DTVAPP/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/index.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Thu, 29 Dec 2011 16:38:16 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
Set-Cookie: JSESSIONID=znHPT8XYhJvnkL5wh3lxwHGXLkDDGWk7hcX8W5wN1Zm3DCjzmSvW!1211856460; domain=.directv.com; path=/
Set-Cookie: GL=en_US; domain=.directv.com; expires=Tue, 16-Jan-2080 19:52:23 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=20362C6049D2E0B40BE63F9E61F927CE; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 122239

...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.11. http://www.directv.com/DTVAPP/new_customer/base_packages.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/new_customer/base_packages.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

6.12. http://www.directv.com/DTVAPP/referral/referralProgram.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/referral/referralProgram.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 29 Dec 2011 16:39:11 GMT
Content-Type: text/html;charset=UTF-8
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=1CEB9D56487009D406025293F7DBED12; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 83121


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.13. http://www.directv.com/entertainment/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js
https://directv.inq.com/chatskins/launch/inqChatLaunch146.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:00 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=5AD7774A412F0353D1DA0AABEA1B5A31; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 153103


...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://cdn.directv.com/resources/css/compressed/eportal/eportal.css?61555" media="all">


           <script language="javascript" type="text/javascript" src="https://directv.inq.com/chatskins/launch/inqChatLaunch146.js"></script>
...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.14. http://www.directv.com/entertainment/browse/movies/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/browse/movies/

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:05 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=59CD4A6A40B6278E06AF72B4DA0B60B4; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 123603

...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.15. http://www.directv.com/entertainment/events previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/events

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:39:05 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=0EF56C794BA5AC01894E50B0A2606299; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 95919

...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

6.16. http://www.directv.com/entertainment/guide previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/entertainment/guide

Issue detail

The response dynamically includes the following scripts from other domains:

http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js
http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Date: Thu, 29 Dec 2011 16:38:57 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=B64EB0E2436934961CCBD78F52229463; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 97992

...[SNIP]...
</var>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMP.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPlugin.js"></script>
<script type="text/javascript" src="http://directv.vo.llnwd.net/e5/cinema/apps/CMPPluginDetection.js"></script>
...[SNIP]...

7. Email addresses disclosed previous
There are 2 instances of this issue:

/DTVAPP/global/findRetailer.jsp
/DTVAPP/index.jsp

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

7.1. http://www.directv.com/DTVAPP/global/findRetailer.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/global/findRetailer.jsp

Issue detail

The following email address was disclosed in the response:

myname@mysite.com

Request

Response

7.2. http://www.directv.com/DTVAPP/index.jsp previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.directv.com
Path:	/DTVAPP/index.jsp

Issue detail

The following email address was disclosed in the response:

myname@mysite.com

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Thu, 29 Dec 2011 16:38:16 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Server: Microsoft-IIS/6.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4z
Set-Cookie: JSESSIONID=znHPT8XYhJvnkL5wh3lxwHGXLkDDGWk7hcX8W5wN1Zm3DCjzmSvW!1211856460; domain=.directv.com; path=/
Set-Cookie: GL=en_US; domain=.directv.com; expires=Tue, 16-Jan-2080 19:52:23 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Set-Cookie: TLTHID=20362C6049D2E0B40BE63F9E61F927CE; Path=/; Domain=.directv.com
Vary: Accept-Encoding
Content-Length: 122239

...[SNIP]...
<p>Please enter a valid email (e.g. myname@mysite.com).
...[SNIP]...

Report generated by XSS.Cx at Sat Sep 01 08:43:42 EDT 2012.